CVE-2022-3689

The CVE-2022-3689 entry concerns the WordPress HTML Forms plugin prior to version 1.3.25, where a parameter is not properly escaped before being used in an SQL statement, causing a SQL injection. The vulnerability is exploitable by high-privilege users and can lead to confidential data disclosure...

CVE-2023-50836

CVE-2023-50836 affects WordPress HTML Forms Plugin versions up to 1.3.28 (and ≤1.3.29 per PatchStack) with a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation. The issue is tied to the ibericode HTML Forms integration in the plugin,...

CVE-2025-46236

CVE-2025-46236: WordPress HTML Forms plugin (Link Software LLC) contains a stored XSS due to improper input neutralization during web page generation. Affected versions are 1.5.2 and earlier. Public references (NVD/patch sources) confirm the issue and CVSS vectors/score; however, the connected do...

CVE-2024-6412

CVE-2024-6412 affects HTML Forms – Simple WordPress Forms Plugin prior to 1.3.34. Description indicates CSRF checks are missing in some areas, enabling CSRF attacks that could cause logged-in users to perform unintended actions. Connected Patchstack data confirms a fix: upgrade to version 1.3.34 ...

CVE-2024-6243

CVE-2024-6243 affects the WordPress plugin HTML Forms prior to version 1.3.33. The vulnerability is a Stored XSS in form message inputs due to lack of sanitization/escaping, enabling high-privilege users (e.g., administrators) to inject scripts. Public writeups in multiple sources (NVD/NIST entry...