CVE-2021-24688

The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the ordeletefiled one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing...

CVE-2021-24704

In the Orange Form WordPress plugin through 1.0, the processbulkaction function in "admin/orange-form-email.php" performs an unprepared SQL query with an unsanitized parameter $id. Only admin can access the page that invokes the function, but because of lack of CSRF protection, it is actually...

CVE-2018-20964

The contact-form-to-email plugin before 1.2.66 for WordPress has CSRF...

CVE-2013-7475

The contact-form-plugin plugin before 3.52 for WordPress has XSS...

CVE-2013-10022

A vulnerability, which was classified as problematic, has been found in BestWebSoft Contact Form Plugin 3.51 on WordPress. Affected by this issue is the function cntctfrmdisplayform/cntctfrmcheckform of the file contactform.php. The manipulation leads to cross site scripting. The attack may be...

CVE-2017-20055

A vulnerability classified as problematic has been found in BestWebSoft Contact Form Plugin 4.0.0. This affects an unknown part. The manipulation leads to basic cross site scripting Stored. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be use...

CVE-2014-125095

A vulnerability was found in BestWebSoft Contact Form Plugin 1.3.4 on WordPress and classified as problematic. Affected by this issue is the function bwsaddmenurender of the file bwsmenu/bwsmenu.php. The manipulation of the argument bwsmnformemail leads to cross site scripting. The attack may be...

CVE-2024-12750

The Competition Form WordPress plugin through 2.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-12750

The Competition Form WordPress plugin through 2.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-12750

CVE-2024-12750 concerns the WordPress plugin Competition Form (versions

CVE-2024-12750 Competition Form <= 2.0 - Competition Deletion via CSRF

The Competition Form WordPress plugin through 2.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

PT-2025-21403 · WordPress · Responsive Contact Form Builder & Lead Generation Plugin

Name of the Vulnerable Software and Affected Versions: Responsive Contact Form Builder & Lead Generation Plugin versions prior to 1.9.8 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html...

CVE-2025-2580

The Contact Form by Bit Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.18.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access...

CVE-2025-2580

CVE-2025-2580 affects the WordPress plugin Contact Form by Bit Form (up to v2.18.3). It allows Stored XSS via SVG uploads, requiring Author+ authentication; arbitrary scripts can execute when users load the SVG. A patch exists (Patched), so upgrade to the fixed version to remediate; details in Wo...

WordPress plugin WS Form LITE 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

CVE-2024-13452

The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.29. This is due to missing or incorrect nonce validation on a saveAsCopy function. This makes it possible for unauthenticated attackers to update settings and...

WordPress Calculated Fields Form plugin < 5.2.64 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin Calculated Fields Form versions 5.2.64...

CVE-2025-30885

URL Redirection to Untrusted Site 'Open Redirect' vulnerability in Bit Apps Bit Form bit-form allows Phishing.This issue affects Bit Form: from n/a through = 2.18.0...

CVE-2025-30885

URL Redirection to Untrusted Site 'Open Redirect' vulnerability in Bit Apps Bit Form bit-form allows Phishing.This issue affects Bit Form: from n/a through = 2.18.0...

WordPress Bit Form plugin <= 2.18.0 - Open Redirection vulnerability

Open Redirection vulnerability discovered by Le Ngoc Anh in WordPress Plugin Bit Form versions = 2.18.0...