Vulnerabilities and security researches forcontact-form-entries contact-form-entries
Direction: ascendingJun 07, 2024
Database for Contact Form 7, WPforms, Elementor forms # CVE-2021-25080
- CVE, Research URL
- Date
- Jan 24, 2022
- Research Description
- The Contact Form Entries WordPress plugin before 1.1.7 does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entry
- Affected versions
-
max 1.1.7.
- Status
-
vulnerable
Database for Contact Form 7, WPforms, Elementor forms # CVE-2021-25079
- CVE, Research URL
- Date
- Jan 24, 2022
- Research Description
- The Contact Form Entries WordPress plugin before 1.2.4 does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page
- Affected versions
-
max 1.2.4.
- Status
-
vulnerable
Database for Contact Form 7, WPforms, Elementor forms # CVE-2022-3604
- CVE, Research URL
- Date
- Jan 16, 2024
- Research Description
- The Contact Form Entries WordPress plugin before 1.3.0 does not validate data when its output in a CSV file, which could lead to CSV injection.
- Affected versions
-
max 1.3.0.
- Status
-
vulnerable
Database for Contact Form 7, WPforms, Elementor forms # CVE-2023-31212
- CVE, Research URL
- Date
- Oct 31, 2023
- Research Description
- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks Database for Contact Form 7, WPforms, Elementor forms contact-form-entries allows SQL Injection.This issue affects Database for Contact Form 7, WPforms, Elementor forms: from n/a through 1.3.0.
- Affected versions
-
max 1.3.1.
- Status
-
vulnerable
Database for Contact Form 7, WPforms, Elementor forms # CVE-2023-33311
- CVE, Research URL
- Date
- May 29, 2023
- Research Description
- Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in CRM Perks Contact Form Entries plugin <= 1.3.0 versions.
- Affected versions
-
max 1.3.1.
- Status
-
vulnerable
Database for Contact Form 7, WPforms, Elementor forms # CVE-2024-2030
- CVE, Research URL
- Date
- Mar 13, 2024
- Research Description
- The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 1.3.4.
- Status
-
vulnerable
Database for Contact Form 7, WPforms, Elementor forms # CVE-2024-3715
- CVE, Research URL
- Date
- May 02, 2024
- Research Description
- The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 1.3.9.
- Status
-
vulnerable
Database for Contact Form 7, WPforms, Elementor forms # CVE-2024-1069
- CVE, Research URL
- Date
- Jan 31, 2024
- Research Description
- The Contact Form Entries plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'view_page' function in versions up to, and including, 1.3.2. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
- Affected versions
-
max 1.3.3.
- Status
-
vulnerable
Aug 14, 2025
Database for Contact Form 7, WPforms, Elementor forms # CVE-2025-7384
- CVE, Research URL
- Date
- Aug 13, 2025
- Research Description
- The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input in the get_lead_detail function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
- Affected versions
-
max 1.4.4.
- Status
-
vulnerable
Apr 13, 2026
Database for Contact Form 7, WPforms, Elementor forms # CVE-2026-3831
- CVE, Research URL
- Date
- Apr 01, 2026
- Research Description
- The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the entries_shortcode() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract all form submissions - including names, emails, phone numbers.
- Affected versions
-
max 1.5.0.
- Status
-
vulnerable
Apr 15, 2026
Database for Contact Form 7, WPforms, Elementor forms # CVE-2026-0825
- CVE, Research URL
- Date
- Jan 28, 2026
- Research Description
- The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download sensitive form submission data containing personally identifiable information (PII) by accessing the CSV export endpoint with an export key that is exposed in publicly accessible page source code. The vulnerability is created because while the shortcode properly filters displayed entries by user, the CSV export handler completely bypasses this filtering and exports all entries regardless of user permissions.
- Affected versions
-
max 1.4.6.
- Status
-
vulnerable
Database for Contact Form 7, WPforms, Elementor forms # CVE-2026-2599
- CVE, Research URL
- Date
- Mar 05, 2026
- Research Description
- The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input in the 'download_csv' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
- Affected versions
-
max 1.4.8.
- Status
-
vulnerable
Jun 16, 2026
Database for Contact Form 7, WPforms, Elementor forms # 462d567f3ad1d318c2c19fe5babcbb2da51728f0
- CVE, Research URL
- Date
- Aug 24, 2021
- Research Description
- Database for Contact Form 7, WPforms, Elementor forms [contact-form-entries] < 1.2.1 Contact Form Entries – Contact Form 7, WPforms and more <= 1.2.0 - Reflected Cross-Site Scripting The Contact Form Entries – Contact Form 7, WPforms and more plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘start_date’ and ‘end_date’ parameters in versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
- Affected versions
-
max 1.2.1.
- Status
-
vulnerable
Database for Contact Form 7, WPforms, Elementor forms # 812c6844fd3d1e7de7c42fe60d7dfd9ba739d775
- CVE, Research URL
- Date
- Nov 14, 2021
- Research Description
- Database for Contact Form 7, WPforms, Elementor forms [contact-form-entries] < 1.2.4 WordPress Contact Form Entries plugin <= 1.2.3 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered by Ex.Mi (Patchstack) in WordPress Contact Form Entries plugin (versions <= 1.2.3).
- Affected versions
-
max 1.2.4.
- Status
-
vulnerable
Database for Contact Form 7, WPforms, Elementor forms # 69175ef9b4291e401fd0d6b24d5d905a4e862a64
- CVE, Research URL
- Date
- Nov 14, 2021
- Research Description
- Database for Contact Form 7, WPforms, Elementor forms [contact-form-entries] < 1.2.4 WordPress Contact Form Entries plugin <= 1.2.3 - Unauthenticated Persistent Cross-Site Scripting (XSS) vulnerability Unauthenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered by Ex.Mi in WordPress Contact Form Entries plugin (versions <= 1.2.3).
- Affected versions
-
max 1.2.4.
- Status
-
vulnerable
Database for Contact Form 7, WPforms, Elementor forms # 56cb8480-1791-4990-8fc7-2cb98a10c207
- CVE, Research URL
- Date
- -
- Research Description
- Database for Contact Form 7, WPforms, Elementor forms [contact-form-entries] < 1.2.2 Multiple Plugins from CRM Perks - Reflected Cross-Site Scripting Numerous plugins from the CRM Perks vendor do not escape parameters before outputting them back in attributes in admin pages, leading to a Reflected Cross-Site Scripting issues executed in the context of a logged in administrator. It first started with an obvious XSS via the vx_debug GET parameter in 7 plugins, and an attempt was made to fix the issues by sanitising user input via sanitize_text_field(), which is not sufficient when outputting in attributes. All vendor's plugins were checked and 27 out of 30 were found to be affected by output being sanitised but not escaped. Timeline: August 2nd, 2021 - Details sent to vendor August 16th, 2021 - Escalated to WP due to unresponsive vendor August 24th, 2021 - Some new versions released, with insufficient fixes, still allowing for Cross-Site Scripting by injecting arbitrary attributes. Vendor was told to escape such data but argued about it. August 26th, 2021 - Public disclosure August 28th, 2021 - gf-infusionsoft 1.1.5 released, fixing the issue August 29th, 2021 - cf7-mailchimp 1.1.1, cf7-salesforce 1.2.6, cf7-constant-contact 1.1.0, cf7-infusionsoft 1.1.4, cf7-hubspot 1.2.0, cf7-insightly 1.0.9, cf7-zendesk 1.0.8, cf7-zoho 1.1.9, integration-for-contact-form-7-and-pipedrive 1.1.1 released, fixing the issue August 30th, 2021 - wp-gravity-forms-spreadsheets 1.1.1 released, fixing the issue September 1st, 2021 - contact-form-entries 1.2.2, gf-salesforce-crmperks 1.2.6, gf-zoho 1.1.6, gf-hubspot 1.0.9, gf-zendesk 1.0.8, cf7-active-campaign 1.0.4, gf-freshdesk 1.2.9, gf-dynamics-crm 1.0.8, gf-constant-contact 1.0.6, integration-for-gravity-forms-and-pipedrive 1.0.7, gf-insightly 1.0.7, woo-salesforce-plugin-crm-perks 1.5.9, woo-zoho 1.2.4, wp-hubspot-woocommerce 1.0.5, wp-infusionsoft-woocommerce 1.0.9, wp-woocommerce-quickbooks 1.1.9 released, fixing the issue
- Affected versions
-
max 1.2.2.
- Status
-
vulnerable
Database for Contact Form 7, WPforms, Elementor forms # 78da7e4ebf17bf04d89df5a7a7492deb53506a60
- CVE, Research URL
- Date
- Aug 26, 2021
- Research Description
- Database for Contact Form 7, WPforms, Elementor forms [contact-form-entries] < 1.2.2 CRM Perks - Various Plugins (Various Versions) - Reflected Cross-Site Scripting Multiple CRM Perks plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the 'vx_debug' parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
- Affected versions
-
max 1.2.2.
- Status
-
vulnerable
Database for Contact Form 7, WPforms, Elementor forms # 294c0c21-fd28-4727-8be6-406b1dd0b213
- CVE, Research URL
- Date
- -
- Research Description
- Database for Contact Form 7, WPforms, Elementor forms [contact-form-entries] < 1.2.1 Contact Form Entries < 1.2.1 - Reflected Cross-Site Scripting The plugin does not escape some of its filters before outputting them back in the admin dashboard, leading to Reflected Cross-Site Scripting issues
- Affected versions
-
max 1.2.1.
- Status
-
vulnerable
Database for Contact Form 7, WPforms, Elementor forms # b7687f19dfbd04e66cbef1c70871c40ba88de736
- CVE, Research URL
- Date
- Nov 14, 2021
- Research Description
- Database for Contact Form 7, WPforms, Elementor forms [contact-form-entries] < 1.2.4 WordPress Contact Form Entries plugin <= 1.2.3 - Multiple Authenticated Reflected Cross-Site Scripting (XSS) vulnerabilities Multiple Authenticated Reflected Cross-Site Scripting (XSS) vulnerabilities discovered by Ex.Mi (Patchstack) in WordPress Contact Form Entries plugin (versions <= 1.2.3).
- Affected versions
-
max 1.2.4.
- Status
-
vulnerable
Jun 20, 2026
Database for Contact Form 7, WPforms, Elementor forms # CVE-2026-9843
- CVE, Research URL
- Date
- Jun 20, 2026
- Research Description
- The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the view_page function in all versions up to, and including, 1.5.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Successful exploitation requires an administrator to view or edit the poisoned form entry, at which point PHP's bracket parser reshapes the attacker-crafted JSON key to bypass the stored-path isset check and trigger deletion of the traversal-specified file.
- Affected versions
-
max 1.5.2.
- Status
-
vulnerable