8134 matches found
EUVD-2025-201540
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submissionid' parameter due to missing validation on a user controlled key within...
CVE-2025-13748
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submissionid' parameter due to missing validation on a user controlled key within...
CVE-2025-13748 Fluent Forms <= 6.1.7 - Unauthenticated Insecure Direct Object Reference to Payment Status Tampering via submission_id
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submissionid' parameter due to missing validation on a user controlled key within...
CVE-2025-13748
CVE-2025-13748: Fluent Forms for WordPress (
CVE-2025-13748 Fluent Forms <= 6.1.7 - Unauthenticated Insecure Direct Object Reference to Payment Status Tampering via submission_id
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submissionid' parameter due to missing validation on a user controlled key within...
PT-2025-49355
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submission id' parameter due to missing validation on a user controlled key within...
WordPress plugin Fluent Forms 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...
CVE-2025-66516
A XML External Entity XXE injection vulnerability was found in the Apache Tika framework's PDF parsing functionality. It could allow a remote, unauthenticated attacker to exploit the system by providing a specially crafted PDF containing an XFA XML Forms Architecture file. This flaw could lead to...
CVE-2025-13342
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run save handler. This makes it...
PT-2025-48654
The SureMail – SMTP and Email Logs Plugin for WordPress is vulnerable to Unrestricted Upload of File with Dangerous Type in versions up to and including 1.9.0. This is due to the plugin's save file function in inc/emails/handler/uploads.php which duplicates all email attachments to a web-accessib...
CVE-2025-66298
Grav is a file-based CMS affected by a server‑side template injection (SSTI) via forms. A crafted POST can disclose the entire Grav configuration, including plugin settings, exposing sensitive information. This vulnerability exists in Grav prior to 1.8.0-beta.27 and is fixed in 1.8.0-beta.27. Rem...
MAL-2025-191595 Malicious code in tailwindcss-forms (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65ee27d0caf9bfc7ff677eb3a3ab32742a19c31bc8418b532bbf925c6a5c385b The package tailwindcss-forms was found to contain malicious code...
Malicious code in tailwindcss-forms (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65ee27d0caf9bfc7ff677eb3a3ab32742a19c31bc8418b532bbf925c6a5c385b The package tailwindcss-forms was found to contain malicious code...
Malicious Package
Overview tailwindcss-forms is a malicious package. This package contains malicious code associated with a social engineering campaign called "Contagious Interview." The attackers target developers through fake job interviews or coding test assignments that require the installation of this package...
Malicious Package
Overview tailwind-forms-plus is a malicious package. This package contains malicious code associated with a social engineering campaign called "Contagious Interview." The attackers target developers through fake job interviews or coding test assignments that require the installation of this...
CVE-2025-64515
Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be modified by malicious users deliberately trying to modify data they're not supposed to. For regular users, the form fields...
WordPress Flo Forms plugin <= 1.0.43 - Unauthenticated Stored Cross-Site Scripting via SVG Upload vulnerability
Unauthenticated Stored Cross-Site Scripting via SVG Upload vulnerability discovered by Moose Love - Nagasaki Prefectural University in WordPress Plugin Flo Forms versions = 1.0.43...
CVE-2025-13136
The GSheetConnector For Ninja Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'njform-google-sheet-config ' page in all versions up to, and including, 2.0.1. This makes it possible for authenticated attackers, with Subscriber-level...
EUVD-2025-198533
The GSheetConnector For Ninja Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'njform-google-sheet-config ' page in all versions up to, and including, 2.0.1. This makes it possible for authenticated attackers, with Subscriber-level...
CVE-2025-13136
The GSheetConnector For Ninja Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'njform-google-sheet-config ' page in all versions up to, and including, 2.0.1. This makes it possible for authenticated attackers, with Subscriber-level...