CVE-2026-12120

The FireBox Popups – Increase Sales and Grow Your Email List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.7 via the 'formid' parameter. This makes it possible for unauthenticated attackers to extract download a full CSV export of a...

WordPress FireBox Popups – Increase Sales and Grow Your Email List plugin <= 3.1.7 - Unauthenticated Sensitive Information Exposure in 'form_id' Parameter vulnerability

Unauthenticated Sensitive Information Exposure in 'formid' Parameter vulnerability discovered by Duc Manh in WordPress Plugin FireBox versions = 3.1.7...

CVE-2026-5396 Fluent Forms <= 6.1.21 - Authenticated (Subscriber+) Authorization Bypass via 'form_id' Parameter

The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions read, modify, delete, add notes based on a user-supplied formid quer...

EUVD-2022-55980

WordPress Contact Form Builder 1.6.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting the formid parameter. Attackers can craft malicious URLs to codegenerator.php with script payloads in the formid parameter t...

CVE-2022-50959 WordPress Contact Form Builder 1.6.1 Cross-Site Scripting via code_generator.php

WordPress Contact Form Builder 1.6.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting the formid parameter. Attackers can craft malicious URLs to codegenerator.php with script payloads in the formid parameter t...

CVE-2022-50959

CVE-2022-50959 affects WordPress Contact Form Builder 1.6.1. It is a reflected cross-site scripting vulnerability where an unauthenticated attacker can cause arbitrary JavaScript execution in a victim’s browser by injecting payloads via the form_id parameter, using crafted URLs to code_generator....

WordPress plugin Contact Form Builder 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

PT-2026-4603

The LeadBI Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form id' parameter of the 'leadbi form' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes...

WordPress plugin LeadBI Plugin for WordPress Cross-Site Script Vulnerabilities

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that extends the...

CVE-2024-32493

An issue was discovered in Znuny LTS 6.5.1 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in agent is able to inject SQL in the draft form ID parameter of an AJAX request...

CVE-2024-1776

The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to SQL Injection via the 'form-id' parameter in all versions up to, and including, 1.1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...

PT-2024-18297 · WordPress · Contact Form 7

Name of the Vulnerable Software and Affected Versions: Contact Form 7 plugin for WordPress versions up to, and including, 1.1.1 Description: The Admin side data storage for the Contact Form 7 plugin is vulnerable to SQL Injection via the form-id parameter due to insufficient escaping on the...

PT-2024-19513 · Unknown · Form Tools

Name of the Vulnerable Software and Affected Versions: Form Tools version 3.1.1 Description: A reflected cross-site scripting XSS issue was discovered in Form Tools. The vulnerability is exploited via the /form builder/preview.php API endpoint, specifically when the form id parameter is used, suc...

CVE-2022-0420

The RegistrationMagic WordPress plugin before 5.0.2.2 does not sanitise and escape the rmformid parameter before using it in a SQL statement in the Automation admin dashboard, allowing high privilege users to perform SQL injection attacks...

CVE-2017-17055

Artica Web Proxy before 3.06.112911 allows remote attackers to execute arbitrary code as root by conducting a cross-site scripting XSS attack involving the username-form-id parameter to freeradius.users.php...