CVE-2026-49741

Backend users with write access to the formdefinition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations,...

CVE-2025-13722

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.7. This is due to missing capability checks on the fluentformaicreateform AJAX action. This makes it...

CVE-2025-13722 Fluent Forms <= 6.1.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Creation via AI Builder

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.7. This is due to missing capability checks on the fluentformaicreateform AJAX action. This makes it...

CVE-2025-13722

CVE-2025-13722 affects Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder for WordPress. Wordfence reports Missing Authorization in the fluentform_ai_create_form AJAX action, allowing authenticated attackers with Subscriber+ privileges to create arbitrary forms...

EUVD-2022-4714

Malicious code in bioql PyPI...

Contact Form 7 Database Addon < 1.2.6.1 - Arbitrary Form Deletion via CSRF

The plugin does not have CSRF check when processing bulk actions, which could allow attackers to make logged in admin delete arbitrary forms for example...

Easy Form Builder <= 1.0 - Unauthorised AJAX calls

While confirming https://wpscan.com/vulnerability/ed0c054b-54bf-4df8-9015-c76704c93484, we noticed that all AJAX actions of the plugin, available to authenticated users, do not have any CSRF and authorisation checks in place, allowing low privilege users to call them and delete/edit arbitrary for...