CVE-2023-0439

The NEX-Forms WordPress plugin before 8.4.4 does not escape its form name, which could lead to Stored Cross-Site Scripting issues. By default only SuperAdmins in multisite / admins in single site can create forms, however there is a settings allowing them to give lower roles access to such featur...

CVE-2023-35909

Uncontrolled Resource Consumption vulnerability in Saturday Drive Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress leading to DoS.This issue affects Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress: from n/a through 3.6.25...

CVE-2023-0272

The NEX-Forms WordPress plugin before 8.3.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2023-6830

The Formidable Forms plugin for WordPress is vulnerable to HTML injection in versions up to, and including, 6.7. This vulnerability allows unauthenticated users to inject arbitrary HTML code into form fields. When the form data is viewed by an administrator in the Entries View Page, the injected...

CVE-2023-5530

The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfilteredhtml capability can perform this, and such users are already allowed to use ...

CVE-2022-3142

The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured...

CVE-2022-44631

Auth. author+ Stored Cross-Site Scripting XSS vulnerability in 1app Technologies, Inc 1app Business Forms plugin = 1.0.0 versions...

CVE-2022-4024

The Registration Forms WordPress plugin before 3.8.1.3 does not have authorisation and CSRF when deleting users via an init action handler, allowing unauthenticated attackers to delete arbitrary users along with their posts...

CVE-2022-45803

Missing Authorization vulnerability in Nikolay Strikhar WordPress Form Builder Plugin – Gutenberg Forms.This issue affects WordPress Form Builder Plugin – Gutenberg Forms: from n/a through 2.2.8.3...

CVE-2021-24165

In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wpajaxnfoauthconnect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place...

CVE-2021-24705

The NEX-Forms WordPress plugin before 8.4.3 does not have CSRF checks in place when editing a form, and does not escape some of its settings as well as form fields before outputting them in attributes. This could allow attackers to make a logged in admin edit arbitrary forms with Cross-Site...

CVE-2021-24628

The Wow Forms WordPress plugin through 3.1.3 does not sanitise or escape a 'did' GET parameter before using it in a SQL statement, when deleting a form in the admin dashboard, leading to an authenticated SQL injection...

CVE-2021-24689

The Contact Forms - Drag & Drop Contact Form Builder WordPress plugin through 1.0.5 allows high privilege users to download arbitrary files from the web server via a path traversal attack...

CVE-2021-24505

The Forms WordPress plugin before 1.12.3 did not sanitise its input fields, leading to Stored Cross-Site scripting issues. The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting XSS vulnerability within the Forms "Add new" field...

CVE-2020-36670

The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to...

CVE-2020-8594

The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninjaformsrecaptchasitekey, ninjaformsrecaptchasecretkey, ninjaformsrecaptchalang, or ninjaformsdateformat...

CVE-2020-36174

The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration...

CVE-2020-36175

The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field...

CVE-2020-36173

The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields...

CVE-2018-20981

The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data retrieval during Export Personal Data requests...