CVE-2026-5396 Fluent Forms <= 6.1.21 - Authenticated (Subscriber+) Authorization Bypass via 'form_id' Parameter

The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions read, modify, delete, add notes based on a user-supplied formid quer...

CVE-2026-5396

The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions read, modify, delete, add notes based on a user-supplied formid quer...

CVE-2026-5396

The CVE-2026-5396 case concerns the Fluent Forms WordPress plugin (all versions up to 6.1.21). The underlying issue is in the SubmissionPolicy logic, which authenticates submission-level actions based on a user-supplied form_id parameter. This allows authenticated attackers who have Fluent Forms ...

CVE-2022-50959

WordPress Contact Form Builder 1.6.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting the formid parameter. Attackers can craft malicious URLs to codegenerator.php with script payloads in the formid parameter t...

WordPress SureForms plugin <= 2.5.2 - Unauthenticated Payment Amount Validation Bypass via 'form_id' vulnerability

Unauthenticated Payment Amount Validation Bypass via 'formid' vulnerability discovered by Jack Pas Dark. - Black Lantern Security in WordPress Plugin SureForms versions = 2.5.2...

CVE-2026-4987 SureForms <= 2.5.2 - Unauthenticated Payment Amount Validation Bypass via 'form_id'

The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the createpaymentintent function performing a payment validation solely based on the value of a...

CVE-2026-1189

The LeadBI Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formid' parameter of the 'leadbiform' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

CVE-2026-1189 LeadBI Plugin for WordPress <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_id' Shortcode Attribute

The LeadBI Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formid' parameter of the 'leadbiform' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

EUVD-2007-2925

Malware in sbrugna...

EUVD-2024-24826

Malicious code in bioql PyPI...

CVE-2024-27632

An issue in GNU Savane v.3.12 and before allows a remote attacker to escalate privileges via the formid in the formheader function...

CVE-2023-5051

The CallRail Phone Call Tracking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'callrailform' shortcode in versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on the 'formid' user supplied attribute. This makes it possible fo...

CVE-2021-25099

The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the formid parameter before outputting it back in the response of an unauthenticated request via the givecheckoutlogin AJAX action, leading to a Reflected Cross-Site Scripting...

CVE-2024-27632

An issue in GNU Savane v.3.12 and before allows a remote attacker to escalate privileges via the formid in the formheader function...

CVE-2024-27632

An issue in GNU Savane v.3.12 and before allows a remote attacker to escalate privileges via the formid in the formheader function...

CVE-2024-27632

An issue in GNU Savane v.3.12 and before allows a remote attacker to escalate privileges via the formid in the formheader function...

CRM Perks Forms < 1.1.2 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitize and escape the formid field in the plugin settings page, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup. PoC...

Everest Forms < 1.8.0 - Reflected Cross-Site Scripting

The plugin does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue The formid needs to be a valid one...

Registration Magic < 4.6.0.3 - Authenticated SQL Injection via Form_id

The RegistrationMagic – Custom Registration Forms and User Login WordPress plugin was affected by an Authenticated SQL Injection via Formid security vulnerability. https://example.com/wp-admin/admin.php?page=rmanalyticsshowform&rmformid=selectfromselectsleep20a&rmtr=30...

Registration Magic < 4.6.0.3 - Authenticated SQL Injection via Form_id

The RegistrationMagic – Custom Registration Forms and User Login WordPress plugin was affected by an Authenticated SQL Injection via Formid security vulnerability. PoC https://example.com/wp-admin/admin.php?page=rmanalyticsshowformformid=selectfromselectsleep20atr=30...