Vulnerabilities and security researches forweforms weforms

Jan 10, 2026

CVE, Research URL: CVE-2025-69028
Home page URL: Security reports for weForms – Easy Drag & Drop Contact Form Builder For WordPress
Application: weForms – Easy Drag & Drop Contact Form Builder For WordPress
Date: Dec 30, 2025
Research Description: Missing Authorization vulnerability in BoldGrid weForms weforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects weForms: from n/a through <= 1.6.25.
Affected versions: max 1.6.25.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2023-51524
Home page URL: Security reports for weForms – Easy Drag & Drop Contact Form Builder For WordPress
Application: weForms – Easy Drag & Drop Contact Form Builder For WordPress
Date: Jun 12, 2024
Research Description: Missing Authorization vulnerability in weForms.This issue affects weForms: from n/a through 1.6.18.
Affected versions: max 1.6.19.
Status: vulnerable

Jun 06, 2024

CVE, Research URL: CVE-2024-32512
Home page URL: Security reports for weForms – Easy Drag & Drop Contact Form Builder For WordPress
Application: weForms – Easy Drag & Drop Contact Form Builder For WordPress
Date: May 17, 2024
Research Description: Client-Side Enforcement of Server-Side Security vulnerability in weForms allows Removing Important Client Functionality.This issue affects weForms: from n/a through 1.6.20.
Affected versions: max 1.6.24.
Status: vulnerable

CVE, Research URL: CVE-2024-0386
Home page URL: Security reports for weForms – Easy Drag & Drop Contact Form Builder For WordPress
Application: weForms – Easy Drag & Drop Contact Form Builder For WordPress
Date: Mar 13, 2024
Research Description: The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Referer' HTTP header in all versions up to, and including, 1.6.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 1.6.22.
Status: vulnerable

CVE, Research URL: CVE-2024-30512
Home page URL: Security reports for weForms – Easy Drag & Drop Contact Form Builder For WordPress
Application: weForms – Easy Drag & Drop Contact Form Builder For WordPress
Date: Jun 09, 2024
Research Description: Missing Authorization vulnerability in weForms.This issue affects weForms: from n/a through 1.6.20.
Affected versions: max 1.6.21.
Status: vulnerable

CVE, Research URL: CVE-2022-2395
Home page URL: Security reports for weForms – Easy Drag & Drop Contact Form Builder For WordPress
Application: weForms – Easy Drag & Drop Contact Form Builder For WordPress
Date: Aug 08, 2022
Research Description: The weForms WordPress plugin before 1.6.14 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Affected versions: max 1.6.14.
Status: vulnerable

CVE, Research URL: CVE-2020-22276
Home page URL: Security reports for weForms – Easy Drag & Drop Contact Form Builder For WordPress
Application: weForms – Easy Drag & Drop Contact Form Builder For WordPress
Date: Nov 04, 2020
Research Description: WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form's entry.
Affected versions: max 1.6.4.
Status: vulnerable

CVE, Research URL: CVE-2023-50896
Home page URL: Security reports for weForms – Easy Drag & Drop Contact Form Builder For WordPress
Application: weForms – Easy Drag & Drop Contact Form Builder For WordPress
Date: Dec 29, 2023
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weForms weForms – Easy Drag & Drop Contact Form Builder For WordPress allows Stored XSS.This issue affects weForms – Easy Drag & Drop Contact Form Builder For WordPress: from n/a through 1.6.17.
Affected versions: max 1.6.18.
Status: vulnerable