CVE-2026-1867 WP Front User Submit < 5.0.6 - Unauthenticated Sensitive Information Exposure

The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6 allows passing a URL parameter to regenerate a .json file based on demo data that it initially creates. If an administrator modifies the demo form and enables admin notifications in the Guest posting / Frontend...

CVE-2026-1860

The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the getitemspermissionscheck permission callback on the /kaliforms/v1/forms/id REST API endpoint only checking for the editposts capability without...

CVE-2026-1860

The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the getitemspermissionscheck permission callback on the /kaliforms/v1/forms/id REST API endpoint only checking for the editposts capability without...

CVE-2026-1860

The Kali Forms WordPress plugin (versions

CVE-2026-1860 Kali Forms <= 2.4.8 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Form Data Exposure

The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the getitemspermissionscheck permission callback on the /kaliforms/v1/forms/id REST API endpoint only checking for the editposts capability without...

CVE-2026-1860 Kali Forms <= 2.4.8 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Form Data Exposure

The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the getitemspermissionscheck permission callback on the /kaliforms/v1/forms/id REST API endpoint only checking for the editposts capability without...

CVE-2025-15510

The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5ExportForms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export form configuration...

CVE-2026-0825 Database for Contact Form 7, WPforms, Elementor forms <= 1.4.5 - Missing Authorization to Unauthenticated Form Data Exfiltration via CSV Export

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download...

CVE-2026-0633

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without...

CVE-2025-12825

CVE-2025-12825 affects the WordPress plugin User Registration Using Contact Form 7. The issue is a missing capability check in get_cf7_form_data across all versions up to and including 2.5, enabling unauthorized data access (including Facebook app secrets) by unauthenticated users. Connected sour...

WordPress plugin: User Registration Using Contact Form security vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

EUVD-2025-200214

The Zigaform plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.6.5. This is due to the plugin exposing a public AJAX endpoint that retrieves form submission data without performing authorization checks to verify ownership or access rights. Th...

PT-2025-12357

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.0 through 7.4.3.126 Liferay DXP versions 2024.Q3.0, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92 Description The...

CVE-2024-47047

An issue was discovered in the powermail extension through 12.4.0 for TYPO3. It fails to validate the mail parameter of the createAction, resulting in Insecure Direct Object Reference IDOR in some configurations. An unauthenticated attacker can use this to display user-submitted data of all forms...

Liferay Portal and Liferay DXP autosaves form data for other users to see

The Dynamic Data Mapping module in Dynamic Data Mapping Form Web before 3.0.23 in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by...