CVE-2026-7050

The Forms Rb plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access a...

WordPress e-shot plugin <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Form Settings Modification via AJAX vulnerability

Missing Authorization to Authenticated Subscriber+ Form Settings Modification via AJAX vulnerability discovered by Poli - CMC Global in WordPress Plugin e-shot versions = 1.0.2...

CVE-2026-3986

The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form settings in all versions up to, and including, 5.4.5.0. This is due to insufficient capability checks on the form settings save handler and insufficient input sanitization of the fcontent fie...

EUVD-2026-11770

The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form settings in all versions up to, and including, 5.4.5.0. This is due to insufficient capability checks on the form settings save handler and insufficient input sanitization of the fcontent fie...

CVE-2026-3986

The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form settings in all versions up to, and including, 5.4.5.0. This is due to insufficient capability checks on the form settings save handler and insufficient input sanitization of the fcontent fie...

CVE-2026-3986

The CVE CVE-2026-3986 affects the Calculated Fields Form WordPress plugin. The vulnerability is a Stored Cross-Site Scripting flaw in form settings (fcontent in fhtml field types) caused by insufficient capability checks on the form settings save handler and inadequate input sanitization. Affecte...

CVE-2026-3986

The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form settings in all versions up to, and including, 5.4.5.0. This is due to insufficient capability checks on the form settings save handler and insufficient input sanitization of the fcontent fie...

CVE-2026-3986 Calculated Fields Form <= 5.4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Settings

The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form settings in all versions up to, and including, 5.4.5.0. This is due to insufficient capability checks on the form settings save handler and insufficient input sanitization of the fcontent fie...

CVE-2026-3986 Calculated Fields Form <= 5.4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Settings

The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form settings in all versions up to, and including, 5.4.5.0. This is due to insufficient capability checks on the form settings save handler and insufficient input sanitization of the fcontent fie...

WordPress Calculated Fields Form plugin <= 5.4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Settings vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Form Settings vulnerability discovered by Hunter Jensen skid in WordPress Plugin Calculated Fields Form versions = 5.4.5.0...

CVE-2026-2324

CVE-2026-2324 affects the LatePoint – Calendar Booking Plugin for Appointments and Events (WordPress). Up to version 5.2.7 is vulnerable due to missing/incorrect nonce validation in the reload_preview() function, enabling unauthenticated attackers to update settings and inject malicious scripts v...

WordPress SendPress Newsletters plugin <= 1.23.11.6 - Admin+ Stored XSS via Form Settings vulnerability

Admin+ Stored XSS via Form Settings vulnerability discovered by Manab Jyoti Dowarah in WordPress Plugin SendPress Newsletters versions = 1.23.11.6...

EUVD-2026-3149

The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'getcf7formdata' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings...

EUVD-2021-11585

Malware in sbrugna...

EUVD-2023-24162

Malicious code in bioql PyPI...

EUVD-2022-34820

Malicious code in bioql PyPI...

EUVD-2024-3091

Malicious code in bioql PyPI...

CVE-2025-9898 cForms – Light speed fast Form Builder <= 3.0.0 - Cross-Site Request Forgery

The cForms – Light speed fast Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the cformsapi function. This makes it possible for unauthenticated attackers to modify...

CVE-2025-3582

The Newsletter WordPress plugin before 8.85 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-3582

The Newsletter WordPress plugin before 8.85 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...