Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the stylesheet input in the backend configuration forms. An attacker can execute arbitrary scripts in the context of other users by injecting malicious HTML or JavaScript through the editor settings. This ca...

CVE-2023-49052

File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component...

CVE-2023-4109

The Ninja Forms WordPress Ninja Forms Contact Form WordPress plugin before 3.6.26 was affected by a HTML Injection security vulnerability...

CVE-2021-33224

File upload vulnerability in Umbraco Forms v.8.7.0 allows unauthenticated attackers to execute arbitrary code via a crafted web.config and asp file...

CVE-2022-0879

The Caldera Forms WordPress plugin before 1.9.7 does not validate and escape the cf-api parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting...

CVE-2022-0402

The Super Forms - Drag & Drop Form Builder WordPress plugin before 6.0.4 does not escape the bobczypanstwasprawazostalarozwiazana parameter before outputting it back in an attribute via the superlanguageswitcher AJAX action, leading to a Reflected Cross-Site Scripting. The action is also lacking...

CVE-2017-18574

The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder...

CVE-2017-18495

The gravity-forms-sms-notifications plugin before 2.4.0 for WordPress has XSS...

CVE-2019-2886

Vulnerability in the Oracle Forms product of Oracle Fusion Middleware component: Services. The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Forms. Successful attacks require hum...

CVE-2020-12462

The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS...

CVE-2023-29434

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in FancyThemes Optin Forms – Simple List Building Plugin for WordPress plugin = 1.3.1 versions...

CVE-2023-50836

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in ibericode HTML Forms allows Stored XSS.This issue affects HTML Forms: from n/a through 1.3.28...

CVE-2023-50891

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Zoho Forms Form plugin for WordPress – Zoho Forms allows Stored XSS.This issue affects Form plugin for WordPress – Zoho Forms: from n/a through 3.0.1...

CVE-2023-49841

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in FancyThemes Optin Forms – Simple List Building Plugin for WordPress allows Stored XSS.This issue affects Optin Forms – Simple List Building Plugin for WordPress: from n/a through 1.3.3...

CVE-2023-45275

Missing Authorization vulnerability in WP Chill Kali Forms kali-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kali Forms: from n/a through = 2.3.28...

CVE-2023-31095

URL Redirection to Untrusted Site 'Open Redirect' vulnerability in CRM Perks Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms.This issue affects Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through 1.2.8...

CVE-2025-23041

Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are advised to upgrade...

CVE-2025-23763

Missing Authorization vulnerability in Alex Volkov WAH Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WAH Forms: from n/a through 1.0...

CVE-2025-13722

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.7. This is due to missing capability checks on the fluentformaicreateform AJAX action. This makes it...

CVE-2022-38971

Stored Cross-Site Scripting XSS vulnerability in ThemeKraft Post Form – Registration Form – Profile Form for User Profiles and Content Forms for User Submissions plugin = 2.7.5 versions...