Vulnerabilities and security researches forcontact-form-to-email contact-form-to-email

Jun 06, 2024

CVE, Research URL: CVE-2018-20963
Home page URL: Security reports for Contact Form Email
Application: Contact Form Email
Date: Aug 13, 2019
Research Description: The contact-form-to-email plugin before 1.2.66 for WordPress has XSS.
Affected versions: max 1.2.66.
Status: vulnerable

CVE, Research URL: CVE-2018-20964
Home page URL: Security reports for Contact Form Email
Application: Contact Form Email
Date: Aug 13, 2019
Research Description: The contact-form-to-email plugin before 1.2.66 for WordPress has CSRF.
Affected versions: max 1.2.66.
Status: vulnerable

CVE, Research URL: CVE-2021-42361
Home page URL: Security reports for Contact Form Email
Application: Contact Form Email
Date: Nov 18, 2021
Research Description: The Contact Form Email WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via the name parameter found in the ~/trunk/cp-admin-int-list.inc.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.3.24. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
Affected versions: max 1.3.25.
Status: vulnerable

CVE, Research URL: CVE-2019-9646
Home page URL: Security reports for Contact Form Email
Application: Contact Form Email
Date: Mar 11, 2019
Research Description: The Contact Form Email plugin before 1.2.66 for WordPress allows wp-admin/admin.php item XSS, related to cp_admin_int_edition.inc.php in the "custom edition area."
Affected versions: max 1.3.32.
Status: vulnerable

CVE, Research URL: CVE-2023-28494
Home page URL: Security reports for Contact Form Email
Application: Contact Form Email
Date: Jun 04, 2024
Research Description: Missing Authorization vulnerability in CodePeople Contact Form Email allows Functionality Misuse.This issue affects Contact Form Email: from n/a through 1.3.31.
Affected versions: max 1.3.32.
Status: vulnerable

CVE, Research URL: CVE-2024-31302
Home page URL: Security reports for Contact Form Email
Application: Contact Form Email
Date: Apr 10, 2024
Research Description: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in CodePeople Contact Form Email.This issue affects Contact Form Email: from n/a through 1.3.44.
Affected versions: max 1.3.45.
Status: vulnerable

CVE, Research URL: CVE-2023-2718
Home page URL: Security reports for Contact Form Email
Application: Contact Form Email
Date: Jun 12, 2023
Research Description: The Contact Form Email WordPress plugin before 1.3.38 does not escape submitted values before displaying them in the HTML, leading to a Stored XSS vulnerability.
Affected versions: max 1.3.38.
Status: vulnerable

CVE, Research URL: CVE-2023-48318
Home page URL: Security reports for Contact Form Email
Application: Contact Form Email
Date: Jun 04, 2024
Research Description: Improper Restriction of Excessive Authentication Attempts vulnerability in CodePeople Contact Form Email allows Functionality Bypass.This issue affects Contact Form Email: from n/a through 1.3.41.
Affected versions: max 1.3.42.
Status: vulnerable

CVE, Research URL: CVE-2023-5955
Home page URL: Security reports for Contact Form Email
Application: Contact Form Email
Date: Dec 12, 2023
Research Description: The Contact Form Email WordPress plugin before 1.3.44 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Affected versions: max 1.3.44.
Status: vulnerable

Jan 25, 2025

CVE, Research URL: CVE-2025-24727
Home page URL: Security reports for Contact Form Email
Application: Contact Form Email
Date: Jan 24, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodePeople Contact Form Email allows Stored XSS. This issue affects Contact Form Email: from n/a through 1.3.52.
Affected versions: max 1.3.53.
Status: vulnerable

Dec 11, 2025

CVE, Research URL: CVE-2025-64369
Home page URL: Security reports for Contact Form Email
Application: Contact Form Email
Date: Nov 13, 2025
Research Description: Missing Authorization vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.58.
Affected versions: max 1.3.59.
Status: vulnerable

Jan 11, 2026

CVE, Research URL: CVE-2025-10019
Home page URL: Security reports for Contact Form Email
Application: Contact Form Email
Date: Dec 18, 2025
Research Description: Authorization Bypass Through User-Controlled Key vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.60.
Affected versions: max 1.3.60.
Status: vulnerable