CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

4677 matches found

Contact Form Plugin by Fluent Forms < 5.1.17 - Unauthenticated Limited Privilege Escalation

The plugin is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's...

9.8CVSS5.2AI score0.21837EPSS

Exploits1References3

Nuclei•added 17 hours ago•23 views

Contact Form to DB by BestWebSoft < 1.5.7 - Cross-Site Scripting

The contact-form-to-db plugin before 1.5.7 for WordPress has multiple XSS issues. id: CVE-2017-18492 info: name: Contact Form to DB by BestWebSoft 1.5.7 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The contact-form-to-db plugin before 1.5.7 for WordPress has multip...

6.1CVSS6AI score0.00104EPSS

Exploits1References4

Nuclei•added 17 hours ago•22 views

Contact Form by BestWebSoft < 4.0.6 - Cross-Site Scripting

The contact-form-plugin plugin before 4.0.6 for WordPress has multiple XSS issues. id: CVE-2017-18491 info: name: Contact Form by BestWebSoft 4.0.6 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The contact-form-plugin plugin before 4.0.6 for WordPress has multiple X...

6.1CVSS6AI score0.00104EPSS

Exploits1References4

Nuclei•added 17 hours ago•68 views

WordPress Contact Form 7 <1.3.6.3 - Stored Cross-Site Scripting

WordPress Contact Form 7 before 1.3.6.3 contains an unauthenticated stored cross-site scripting vulnerability in the Drag and Drop Multiple File Upload plugin. SVG files can be uploaded by default via the dndcodedropzupload AJAX action. id: CVE-2022-0595 info: name: WordPress Contact Form 7 1.3.6...

5.4CVSS5.3AI score0.05776EPSS

Exploits2References4

Nuclei•added 17 hours ago•23 views

Contact Form Entries < 1.2.4 - Cross-Site Scripting

The plugin does not sanitise and escape various parameters, such as formid, status, enddate, order, orderby and search before outputting them back in the admin page id: CVE-2021-25079 info: name: Contact Form Entries 1.2.4 - Cross-Site Scripting author: r3Y3r53 severity: medium description: | The...

6.1CVSS6.1AI score0.01396EPSS

Exploits4References4

Nuclei•added 17 hours ago•29 views

WordPress Supsystic Contact Form <1.7.15 - Cross-Site Scripting

WordPress Supsystic Contact Form plugin before 1.7.15 contains a cross-site scripting vulnerability. It does not sanitize the tab parameter of its options page before outputting it in an attribute. id: CVE-2021-24276 info: name: WordPress Supsystic Contact Form 1.7.15 - Cross-Site Scripting autho...

6.1CVSS5.8AI score0.08366EPSS

Exploits5References5

Nuclei•added 17 hours ago•15 views

Contact Form Generator <= 2.5.5 - Cross-Site Scripting

The Contact Form Generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'id' parameter in wp-admin/admin.php in versions up to, and including, 2.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

7.1CVSS7.1AI score0.21793EPSS

Exploits3References2

Nuclei•added 17 hours ago•14 views

Drag and Drop Multiple File Upload - CF7 <= 1.3.9.6 - Remote Code Execution

Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin = 1.3.9.6 contains an unrestricted file upload caused by insufficient file type validation and bypass of filename sanitization with non-ASCII characters, letting unauthenticated attackers upload arbitrary files and achieve...

8.1CVSS5.8AI score0.04249EPSS

Exploits3References2

Nuclei•added 17 hours ago•46 views

Contact Form 7 Math Captcha <= 2.0.1 - Cross-site Scripting

The Contact Form 7 Math Captcha WordPress plugin through 2.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users. id: CVE-2024-6517 info: name: Contact Form 7 Math Captcha =...

6.1CVSS5.1AI score0.04041EPSS

Exploits1References2

Nuclei•added 17 hours ago•15 views

WordPress Contact Form 7 Captcha <0.1.2 - Cross-Site Scripting

WordPress Contact Form 7 Captcha plugin before 0.1.2 contains a reflected cross-site scripting vulnerability. It does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute. id: CVE-2022-2187 info: name: WordPress Contact Form 7 Captcha 0.1.2 - Cross-Site Scripting...

6.1CVSS5.8AI score0.02697EPSS

Exploits2References5

NVD•added yesterday•8 views

CVE-2023-25969

Missing Authorization vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Contact Form & Lead Form Elementor Builder: from n/a through 1.8.4...

5.4CVSS0.00027EPSS

Exploits0References1

Cvelist•added yesterday•22 views

CVE-2023-25969 WordPress Contact Form & Lead Form Elementor Builder plugin <= 1.8.4 - Broken Access Control vulnerability

5.4CVSS0.00027EPSS

Exploits0References1

CVE•added yesterday•16 views

CVE-2023-25969

CVE-2023-25969 is aBroken Access Control issue reported across multiple WordPress plugins with unauthenticated access. Connected advisories show: Lead Form Elementor Builder: vulnerable <= 1.8.4; fixed in 1.8.5 TH Side Cart and Menu Cart for WooCommerce: vulnerable <= 1.1.1; fixed in 1.1.2 ...

5.4CVSS7.8AI score0.00027EPSS

Exploits0References1

EUVD•added yesterday•4 views

EUVD-2023-60589

5.4CVSS5.4AI score0.00027EPSS

Exploits0References1

Vulnrichment•added yesterday•4 views

CVE-2023-25969 WordPress Contact Form & Lead Form Elementor Builder plugin <= 1.8.4 - Broken Access Control vulnerability

5.4CVSS7.8AI score0.00027EPSS

Exploits0References1

Nuclei•added yesterday•11 views

WordPress Contact Form by Supsystic - Server-Side Template Injection

Contact Form by Supsystic WordPress plugin = 1.7.36 contains a server-side template injection caused by unsandboxed TwigLoaderString and cfsPreFill functionality, letting unauthenticated attackers execute arbitrary code remotely via GET parameters. id: CVE-2026-4257 info: name: WordPress Contact...

9.8CVSS5.9AI score0.86931EPSS

Exploits7References3

Positive Technologies•added yesterday•5 views

PT-2026-48641

5.4CVSS7.8AI score0.00027EPSS

Exploits0References2

Nuclei•added 3 days ago•8 views

WordPress Sexy Contact Form (<= 0.9.7) - Arbitrary File Upload

Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form formerly Sexy Contact Form before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute...

9.8CVSS8.3AI score0.91552EPSS

Exploits2References5

RedhatCVE•added 5 days ago•12 views

CVE-2026-8991

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'dragndroptext' and 'dragndropbrowsetext' Settings in all versions up to, and including, 1.3.9.7 due to insufficient input sanitization and output escaping. This makes i...

4.4CVSS5.7AI score0.00039EPSS

Exploits0References1

NVD•added 6 days ago•8 views

CVE-2026-8991

4.4CVSS0.00039EPSS

Exploits0References8

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by