744 matches found
CVE-2026-57669
Subscriber Broken Access Control in Advanced Contact form 7 DB = 2.0.9 versions...
CVE-2026-57669
The affected software is the WordPress plugin Advanced Contact form 7 DB (versions
Drag and Drop Multiple File Upload - CF7 <= 1.3.9.6 - Remote Code Execution
Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin = 1.3.9.6 contains an unrestricted file upload caused by insufficient file type validation and bypass of filename sanitization with non-ASCII characters, letting unauthenticated attackers upload arbitrary files and achieve...
WordPress Advanced Contact form 7 DB plugin <= 2.0.9 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by timomangcut in WordPress Plugin Advanced Contact form 7 DB versions = 2.0.9...
EUVD-2026-38663
The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdbajaxdeleteuser function in versions up to, and including, 1.0.0. The handler is registered against both wpajaxcf7cdbdelete and...
WordPress Advanced Contact Form 7 – Compact DB plugin <= 1.0.0 - Missing Authorization to Unauthenticated Arbitrary Contact Form Submission Deletion vulnerability
Missing Authorization to Unauthenticated Arbitrary Contact Form Submission Deletion vulnerability discovered by Eason - The University of Sydney in WordPress Plugin Advanced Contact Form 7 – Compact DB versions = 1.0.0...
CVE-2026-9843
The CVE-2026-9843 entry covers the Database for Contact Form 7, WPforms, Elementor forms WordPress plugin. Affected versions up to and including 1.5.1 are vulnerable to arbitrary file deletion due to insufficient file path validation in the view_page function. Exploitation requires an administrat...
CVE-2026-9843 Database for Contact Form 7, WPforms, Elementor forms <= 1.5.1 - Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the viewpage function in all versions up to, and including, 1.5.1. This makes it possible for unauthenticated attackers to delete...
CVE-2026-11395
The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.0 via the pullthetrigger. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be...
EUVD-2026-37863
The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.0 via the pullthetrigger. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be...
CVE-2026-11395 CF7 to Webhook <= 5.0.0 - Unauthenticated Server-Side Request Forgery via CF7 Field Placeholder in Webhook URL Host
The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.0 via the pullthetrigger. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be...
CVE-2026-11395
CVE-2026-11395 : The CF7 to Webhook plugin for WordPress is vulnerable to unauthenticated Server-Side Request Forgery through the pull_the_trigger path, affecting all versions up to and including 5.0.0. Exploitation requires the admin-configured webhook URL to contain a Contact Form 7 field place...
CVE-2026-9187
The Abandoned Contact Form 7 plugin for WordPress (
CVE-2026-9187 Abandoned Contact Form 7 <= 2.2 - Missing Authorization to Unauthenticated Arbitrary Post Deletion via 'recover_id' Parameter
The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the actionremoveabandoned function, which is registered to both the...
EUVD-2026-36909
Unauthenticated Cross Site Scripting XSS in Redirection for Contact Form 7 = 3.2.8 versions...
CVE-2026-49763
Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot = 1.3.7 versions...
CVE-2026-49105
Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms = 1.1.4 versions...
CVE-2026-49104
Unauthenticated PHP Object Injection in Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms = 1.2.1 versions...
CVE-2026-49106
Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact = 1.1.6 versions...
CVE-2026-49055
Unauthenticated Cross Site Scripting XSS in Drag and Drop Multiple File Upload – Contact Form 7 = 1.3.9.7 versions...