121 matches found
CVE-2026-9145
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Arbitrary File Copy via the createentryel function in versions up to, and including, 1.5.1. The function reads rawvalue from Elementor Pro's FormRecord object for upload-type fields and passes it...
CVE-2026-11562 WS Form LITE < 1.11.8 - Subscriber+ Arbitrary Settings Update
The WS Form LITE WordPress plugin before 1.11.8 does not have a capability check on one of its settings-update actions, allowing authenticated users with subscriber-level access and above to modify the WS Form LITE WordPress plugin before 1.11.8's settings...
WordPress Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin <= 1.15.43 - Authenticated (Adminsitrator+) SQL Injection vulnerability
Authenticated Adminsitrator+ SQL Injection vulnerability discovered by Muhammad Arsalan Diponegoro tripoloski in WordPress Plugin Form Maker by 10Web versions = 1.15.43...
WordPress Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin <= 1.15.43 - Authenticated (Administrator+) SQL Injection vulnerability
Authenticated Administrator+ SQL Injection vulnerability discovered by Muhammad Arsalan Diponegoro tripoloski in WordPress Plugin Form Maker by 10Web versions = 1.15.43...
CVE-2026-42659 WordPress Advanced Form Integration plugin <= 1.126.12 - Broken Access Control vulnerability
Subscriber Broken Access Control in Advanced Form Integration = 1.126.12 versions...
CVE-2026-39502
This CVE concerns the WordPress plugin Form Maker by 10Web (versions <= 1.15.38). The issue is described as an Unauthenticated SQL Injection vulnerability in Form Maker by 10Web
CVE-2026-39502 WordPress Form Maker by 10Web plugin <= 1.15.38 - SQL Injection vulnerability
Unauthenticated SQL Injection in Form Maker by 10Web = 1.15.38 versions...
CVE-2026-39502 WordPress Form Maker by 10Web plugin <= 1.15.38 - SQL Injection vulnerability
Unauthenticated SQL Injection in Form Maker by 10Web = 1.15.38 versions...
EUVD-2026-35995
The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'memo' parameter in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above,...
CVE-2018-25346
WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generetecsv actions. Attackers can submit POST requests with malicious SQL payloads in t...
EUVD-2018-21866
WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generetecsv actions. Attackers can submit POST requests with malicious SQL payloads in t...
CVE-2026-8692
The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it...
CVE-2026-5229
The Form Notify plugin for WordPress is vulnerable to an Authentication Bypass in versions up to 1.1.10 due to trusting user-controlled cookie data to select the WordPress account after a LINE OAuth login. If LINE omits an email address, the plugin uses the 'form_notify_line_email' cookie without...
CVE-2026-6206 MW WP Form <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter
The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the getpostpropertyfromquerystring function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract da...
PT-2026-39484
WordPress Contact Form Builder 1.6.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting the form id parameter. Attackers can craft malicious URLs to code generator.php with script payloads in the form id paramete...
WordPress Form Maker by 10Web plugin <= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box vulnerability
Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box vulnerability discovered by Naoya Takahashi nakko in WordPress Plugin Form Maker by 10Web versions = 1.15.40...
WordPress Form Maker plugin < 1.15.38 - SQL Injection vulnerability
SQL Injection vulnerability discovered by hiariz in WordPress Plugin Form Maker by 10Web versions 1.15.38...
CVE-2026-5436 MW WP Form <= 5.1.1 - Unauthenticated Arbitrary File Move via regenerate_upload_file_keys
The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to insufficient validation of the $name parameter upload field key passed to the generateuserfiledirpath function, which uses WordPress's pathjoin — a function that...
CVE-2026-5436 MW WP Form <= 5.1.1 - Unauthenticated Arbitrary File Move via regenerate_upload_file_keys
The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to insufficient validation of the $name parameter upload field key passed to the generateuserfiledirpath function, which uses WordPress's pathjoin — a function that...
WordPress Form Maker by 10Web plugin <= 1.15.38 - SQL Injection vulnerability
SQL Injection vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin Form Maker by 10Web versions = 1.15.38...