CVE-2025-0817 FormCraft - Premium WordPress Form Builder <= 3.9.11 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload

The FormCraft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.9.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pag...

CVE-2025-0817 FormCraft - Premium WordPress Form Builder <= 3.9.11 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload

The FormCraft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.9.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pag...

CVE-2025-0817

CVE-2025-0817 affects the WordPress plugin FormCraft (WordPress) and is a Stored Cross-Site Scripting vulnerability via SVG file uploads. Root cause: insufficient input sanitization and output escaping for SVG uploads in all versions up to 3.9.11. Impact: unauthenticated attackers can inject web ...

WordPress FormCraft plugin <= 3.9.11 - Missing Authorization to Plugin Data Export in formcraft-main.php vulnerability

Missing Authorization to Plugin Data Export in formcraft-main.php vulnerability discovered by Nguyễn Trung Kiên in WordPress Plugin FormCraft 3 versions = 3.9.11...

WordPress FormCraft - Premium WordPress Form Builder plugin <= 3.9.11 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload vulnerability

WordPress FormCraft - Premium WordPress Form Builder plugin = 3.9.11 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload vulnerability discovered by shaman0x01 in WordPress Plugin FormCraft 3 versions = 3.9.11...

WordPress plugin FormCraft 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

PT-2025-6610 · WordPress · Formcraft

Name of the Vulnerable Software and Affected Versions: FormCraft plugin for WordPress versions up to and including 3.9.11 Description: The issue arises from a missing capability check in formcraft-main.php, allowing authenticated attackers with Subscriber-level access and above to export all plug...

WordPress plugin FormCraft 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

WordPress plugin FormCraft 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

SUSE CVE-2023-3501

The FormCraft WordPress plugin before 1.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

VulnCheck KEV: CVE-2022-0591

The FormCraft WordPress plugin before 3.8.28 does not validate the URL parameter in the formcraft3get AJAX action, leading to SSRF issues exploitable by unauthenticated users...

CVE-2023-3501

The FormCraft WordPress plugin before 1.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-3501 FormCraft < 1.2.7 - Admin+ Stored XSS

The FormCraft WordPress plugin before 1.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

WordPress plugin FormCraft 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin that supports personal blogs on PHP and MySQL servers. A cross-site scripting vulnerability exists in the...

PT-2023-25093 · WordPress · Formcraft

Name of the Vulnerable Software and Affected Versions: FormCraft WordPress plugin versions prior to 1.2.7 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capability is disallowed, for...

CVE-2023-2592

The FormCraft WordPress plugin before 3.9.7 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...

PT-2023-20361 · WordPress · Formcraft

Name of the Vulnerable Software and Affected Versions: FormCraft WordPress plugin versions prior to 3.9.7 Description: The issue arises from improper sanitization and escaping of a parameter before its use in a SQL statement, resulting in a SQL injection that can be exploited by high-privilege...

CVE-2023-22717

Auth. contributor+ Stored Cross-Site Scripting XSS vulnerability in nCrafts FormCraft plugin = 1.2.6 versions...

CVE-2023-22717

CVE-2023-22717 is a stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin FormCraft (nCrafts FormCraft) , affecting versions up to and including 1.2.6 . The vulnerability requires at least a Contributor+ authentication level and can be triggered through stored input, leading to ...

WordPress FormCraft Plugin <= 1.2.9 is vulnerable to Cross Site Scripting (XSS)

Software FormCraft Type Plugin Vulnerable versions = 1.2.9 Fixed in 1.2.10 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-22717 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 2506902e7f8e Credits István Márton Required...