7.5CVSS
7.8AI Score
0.002EPSS
7.5CVSS
7.7AI Score
0.002EPSS
The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX...
8.8CVSS
8.2AI Score
0.002EPSS
The package forms before 1.2.1, from 1.3.0 and before 1.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via email...
5.3CVSS
5.2AI Score
0.001EPSS
The Pie Register – User Registration Forms. Invitation based registrations, Custom Login, Payments WordPress plugin before 3.7.0.1 does not sanitise the invitaion_code GET parameter when outputting it in the Activation Code page, leading to a reflected Cross-Site Scripting...
6.1CVSS
6.1AI Score
0.001EPSS
The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop...
8.8CVSS
8.6AI Score
0.001EPSS
The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth...
5.4CVSS
5.5AI Score
0.001EPSS
In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wp_ajax_nf_oauth, and retrieve the connection url needed to establish a connection. They could also retrieve the client_id for an already established OAuth...
4.3CVSS
4.6AI Score
0.001EPSS
In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in...
6.1CVSS
6.1AI Score
0.001EPSS
Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user (Editor+) to inject arbitrary JavaScript code or HTML in posts where the malicious...
4.8CVSS
4.9AI Score
0.001EPSS
When dynamic templates are used (OTRSTicketForms), admin can use OTRS tags which are not masked properly and can reveal sensitive information. This issue affects: OTRS AG OTRSTicketForms 6.0.x version 6.0.40 and prior versions; 7.0.x version 7.0.29 and prior versions; 8.0.x version 8.0.3 and prior....
4.9CVSS
5.2AI Score
0.001EPSS
6.5CVSS
6.5AI Score
0.001EPSS
The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table...
5.3CVSS
5.3AI Score
0.001EPSS
The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email...
5.3CVSS
5.6AI Score
0.001EPSS
AEM Forms SP6 add-on for AEM 6.5.6.0 and Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2) have a blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerability could be exploited by an unauthenticated attacker to gather information about internal systems.....
5.8CVSS
5.5AI Score
0.001EPSS
Easy Registration Forms (ER Forms) Wordpress Plugin 2.0.6 allows an attacker to submit an entry with malicious CSV commands. After that, when the system administrator generates CSV output from the forms information, there is no check on this inputs and the codes are...
8.8CVSS
8.6AI Score
0.005EPSS
An AEM java servlet in AEM versions 6.5.5.0 (and below) and 6.4.8.1 (and below) executes with the permissions of a high privileged service user. If exploited, this could lead to read-only access to sensitive data in an AEM...
7.5CVSS
7.1AI Score
0.003EPSS
The AEM Forms add-on for versions 6.5.5.0 (and below) and 6.4.8.2 (and below) are affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Sites component. These scripts may be executed in a victim’s browser when...
9CVSS
8AI Score
0.001EPSS
SAP NetWeaver Application Server JAVA(XML Forms) versions 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user controlled inputs, which allows an authenticated User with special roles to store malicious content, that when accessed by a victim, can perform malicious actions by executing...
6.5CVSS
6.1AI Score
0.001EPSS
This affects all versions of package UmbracoForms. When using the default configuration for upload forms, it is possible to upload arbitrary file types. The package offers a way for users to mitigate the issue. The users of this package can create a custom workflow and frontend validation that...
7.5CVSS
7.5AI Score
0.001EPSS
In Sprout Forms before 3.9.0, there is a potential Server-Side Template Injection vulnerability when using custom fields in Notification Emails which could lead to the execution of Twig code. This has been fixed in...
7.4CVSS
6.4AI Score
0.001EPSS
6.1CVSS
6.3AI Score
0.001EPSS
SAP NetWeaver AS ABAP Business Server Pages (Smart Forms), SAP_BASIS versions- 7.00, 7.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.54; does not sufficiently encode user controlled inputs, allowing an unauthenticated attacker to non-permanently deface or modify displayed...
6.1CVSS
6.2AI Score
0.001EPSS
The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_lang], or...
5.4CVSS
5.4AI Score
0.001EPSS
The marketo-forms-and-tracking plugin through 1.0.2 for WordPress allows wp-admin/admin.php?page=marketo_fat CSRF with resultant...
8.8CVSS
8.7AI Score
0.003EPSS
Multiple cross-site scripting (XSS) vulnerabilities in tests/notAuto_test_ContactService_pauseCampaign.php in the Infusionsoft Gravity Forms plugin before 1.5.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) go, (2) contactId, or (3) campaignId...
6.1CVSS
6.1AI Score
0.001EPSS
Adobe Experience Manager Forms versions 6.3-6.5 have a reflected cross-site scripting vulnerability. Successful exploitation could lead to sensitive information...
6.1CVSS
5.6AI Score
0.001EPSS
Vulnerability in the Oracle Forms product of Oracle Fusion Middleware (component: Services). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Forms. Successful attacks require...
6.1CVSS
5.7AI Score
0.001EPSS
The Shack Forms Pro extension before 4.0.32 for Joomla! allows path traversal via a file...
9.8CVSS
9.3AI Score
0.002EPSS
The nex-forms-express-wp-form-builder plugin before 4.6.1 for WordPress has SQL injection via the wp-admin/admin.php?page=nex-forms-main nex_forms_Id...
9.8CVSS
9.9AI Score
0.003EPSS
7.5CVSS
7.7AI Score
0.001EPSS
The yikes-inc-easy-mailchimp-extender plugin before 6.5.3 for WordPress has code injection via the admin input...
9.8CVSS
9.7AI Score
0.031EPSS
The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the...
6.1CVSS
6.3AI Score
0.001EPSS
7.5CVSS
7.6AI Score
0.001EPSS
The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data retrieval during Export Personal Data...
9.1CVSS
9.2AI Score
0.002EPSS
6.1CVSS
6.4AI Score
0.001EPSS
6.1CVSS
6.4AI Score
0.001EPSS
9.8CVSS
9.9AI Score
0.001EPSS
A SQL injection vulnerability exists in WPEverest Everest Forms plugin for WordPress through 1.4.9. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via...
9.8CVSS
9.9AI Score
0.001EPSS
Adobe Experience Manager Forms versions 6.2, 6.3 and 6.4 have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information...
6.1CVSS
5.6AI Score
0.001EPSS
Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on is activated). This allows an attacker to traverse the file system to access files and execute code via the includes/fields/upload.php (aka upload/submit page) name and....
8.1CVSS
8.1AI Score
0.107EPSS
Cross-site request forgery (CSRF) vulnerability in Smart Forms 2.6.15 and earlier allows remote attackers to hijack the authentication of administrators via a specially crafted...
8.8CVSS
8.8AI Score
0.003EPSS
Adobe Experience Manager Forms versions 6.2, 6.3 and 6.4 have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information...
6.1CVSS
5.6AI Score
0.001EPSS
An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to redirect a user via the lib/StepProcessing/step-processing.php (aka submissions download page) redirect...
6.1CVSS
6.3AI Score
0.003EPSS
XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id...
6.1CVSS
6.1AI Score
0.291EPSS
8.6CVSS
8.8AI Score
0.003EPSS
Forms is a library for easily creating HTML forms. Versions before 1.3.0 did not have proper html escaping. This means that if the application did not sanitize html on behalf of forms, use of forms may be vulnerable to cross site...
6.1CVSS
5.9AI Score
0.001EPSS
Multiple cross-site scripting (XSS) vulnerabilities in the Caldera Forms plugin before 1.6.0-rc.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a greeting message, (2) the email transaction log, or (3) an imported...
4.8CVSS
5.1AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in IBM Forms Experience Builder 8.5.0 and 8.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID:...
5.4CVSS
5AI Score
0.001EPSS
The Convert Forms extension before 2.0.4 for Joomla! is vulnerable to Remote Command Execution using CSV Injection that is mishandled when exporting a Leads...
7.8CVSS
7.8AI Score
0.072EPSS