CVE-2025-13861

CVE-2025-13861 affects the WordPress plugin HTML Forms – Simple WordPress Forms Plugin. It is vulnerable to unauthenticated stored XSS in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it on the admin submissions ...

EUVD-2025-203871

The HTML Forms – Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it in the WordPress admin dashboard. This...

CVE-2025-12125 HTML Forms <= 1.5.5 - Authenticated (Admin+) Stored Cross-Site Scripting

The HTML Forms – Simple WordPress Forms Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-12125

CVE-2025-12125 corresponds to a Stored Cross-Site Scripting vulnerability in the WordPress plugin HTML Forms – Simple WordPress Forms Plugin. The issue arises from insufficient input sanitization and output escaping in admin settings, making authenticated attackers with administrator-level permis...

CVE-2025-12125 HTML Forms <= 1.5.5 - Authenticated (Admin+) Stored Cross-Site Scripting

The HTML Forms – Simple WordPress Forms Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

WordPress plugin HTML Forms 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. WordPress plugin is an application plugin. A cross-site scripting...

WordPress HTML Forms plugin < 1.3.34 - Bulk Delete via CSRF vulnerability

Bulk Delete via CSRF vulnerability discovered by Bob Matyas in WordPress Plugin HTML Forms versions 1.3.34...

CVE-2024-6412 HTML Forms – Simple WordPress Forms Plugin < 1.3.34 - Bulk Delete via CSRF

The HTML Forms WordPress plugin before 1.3.34 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

CVE-2024-6243

The HTML Forms WordPress plugin before 1.3.33 does not sanitize and escape the form message inputs, allowing high-privilege users, such as administrators, to perform Stored Cross-Site Scripting XSS attacks even when the unfilteredhtml capability is disabled...

PT-2024-37475 · WordPress · Html Forms

Name of the Vulnerable Software and Affected Versions: HTML Forms WordPress plugin versions prior to 1.3.33 Description: The issue allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting XSS attacks. This is possible because the plugin does not properly sanitiz...