CVE-2026-4986 WPForms Lite < 1.10.0.5 – Unauthenticated PayPal Webhook Forgery

The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions...

CVE-2026-4986

The CVE-2026-4986 entry concerns the WPForms WordPress plugin (pre-1.10.0.5). The issue is that incoming PayPal webhook events are not validated for authenticity before processing, enabling unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transacti...

PT-2026-40009

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Aman Views for WPForms views-for-wpforms-lite allows Blind SQL Injection.This issue affects Views for WPForms: from n/a through = 3.4.6...

CVE-2026-40764

Cross-Site Request Forgery CSRF vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.This issue affects Contact Form by WPForms: from n/a through = 1.10.0.2...

CVE-2026-40764

Cross-Site Request Forgery CSRF vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.This issue affects Contact Form by WPForms: from n/a through = 1.10.0.2...

CVE-2026-25339

Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.This issue affects Contact Form by WPForms: from n/a through = 1.9.8.7...

CVE-2026-32446

Missing Authorization vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through = 1.9.9.3...

EUVD-2026-11991

Missing Authorization vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through = 1.9.9.3...

CVE-2026-32446

Missing Authorization vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through = 1.9.9.3...

EUVD-2023-34915

Malicious code in bioql PyPI...

CVE-2023-30500

Unauth. Reflected Cross-Site Scripting XSS vulnerability in WPForms WPForms Lite wpforms-lite, WPForms WPForms Pro wpforms plugins = 1.8.1.2 versions...

CVE-2025-3794 WPForms Lite <= 1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'start_timestamp' Parameter

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the starttimestamp parameter in all versions up to, and including, 1.9.5 due to insufficient input sanitization and output escaping...

CVE-2025-3794 WPForms Lite <= 1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'start_timestamp' Parameter

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the starttimestamp parameter in all versions up to, and including, 1.9.5 due to insufficient input sanitization and output escaping...

CVE-2025-3794

CVE-2025-3794 refers to WPForms Lite

WordPress WPForms Lite plugin <= 1.9.3.1 XSS Vulnerability

The WordPress plugin SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:wpforms:contactform"; if description...

CVE-2024-13403 WPForms Lite <= 1.9.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via fieldHTML Parameter

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘fieldHTML’ parameter in all versions up to, and including, 1.9.3.1 due to insufficient input sanitization and output escaping...

CVE-2024-13403

CVE-2024-13403 affects WPForms Lite for WordPress (versions up to and including 1.9.3.1). The vulnerability is a stored cross-site scripting flaw in the fieldHTML parameter caused by insufficient input sanitization and output escaping. Exploitation requires an authenticated user with Contributor-...

WordPress WPForms Lite plugin <= 1.9.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via fieldHTML Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via fieldHTML Parameter vulnerability discovered by Asaf Mozes in WordPress Plugin Contact Form by WPForms versions = 1.9.3.1...

CVE-2024-56276 WordPress WPForms Lite plugin <= 1.9.2.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPForms Contact Form by WPForms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through 1.9.2.2...

CVE-2024-56276 WordPress WPForms Lite plugin <= 1.9.2.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through = 1.9.2.2...