| CVE/PSC | Application | Date | Affected versions | Description |
|---|---|---|---|---|
| Actual on: Jun 02, 2026, 18:06:10 | Entries count: 20 | |||
|
Views for WPForms – Display & Edit WPForms Entries on your site frontend
vulnerable
|
Jun 07, 2024, 02:06:02 |
Min -
Max 3.2.3
|
The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'create_view' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to create form views. | |
|
Views for WPForms – Display & Edit WPForms Entries on your site frontend
vulnerable
|
Jun 07, 2024, 02:06:02 |
Min -
Max 3.2.3
|
The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.2. This is due to missing or incorrect nonce validation on the 'create_view' function. This makes it possible for unauthenticated attackers to create views via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |
|
Views for WPForms – Display & Edit WPForms Entries on your site frontend
vulnerable
|
Jun 07, 2024, 02:06:02 |
Min -
Max 3.2.3
|
The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_form_fields' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to create form views. | |
|
Views for WPForms – Display & Edit WPForms Entries on your site frontend
vulnerable
|
Jun 07, 2024, 02:06:02 |
Min -
Max 3.2.3
|
The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_view' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to modify the titles of arbitrary posts. | |
|
Views for WPForms – Display & Edit WPForms Entries on your site frontend
vulnerable
|
Jun 07, 2024, 02:06:02 |
Min -
Max 3.2.3
|
The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.2. This is due to missing or incorrect nonce validation on the 'save_view' function. This makes it possible for unauthenticated attackers to modify arbitrary post titles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |
|
Views for WPForms – Display & Edit WPForms Entries on your site frontend
vulnerable
|
May 14, 2026, 16:05:47 |
Min -
Max 3.4.6
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aman Views for WPForms views-for-wpforms-lite allows Blind SQL Injection.This issue affects Views for WPForms: from n/a through <= 3.4.6. | |
|
Contact Form by WPForms – Drag & Drop Form Builder for WordPress
vulnerable
|
Jun 07, 2024, 08:06:13 |
Min -
Max 1.4.8
|
A stored cross-site scripting (XSS) vulnerability exists in the WPForms Contact Form (aka wpforms-lite) plugin before 1.5.9 for WordPress. | |
|
Contact Form by WPForms – Drag & Drop Form Builder for WordPress
vulnerable
|
Jun 07, 2024, 08:06:13 |
Min -
Max 1.4.8
|
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPForms WPForms Lite (wpforms-lite), WPForms WPForms Pro (wpforms) plugins <= 1.8.1.2 versions. | |
|
Contact Form by WPForms – Drag & Drop Form Builder for WordPress
vulnerable
|
Jun 07, 2024, 08:06:13 |
Min -
Max 1.8.8.2
|
The Contact Form by WPForms – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to price manipulation in versions up to, and including, 1.8.7.2. This is due to a lack of controls on several product parameters. This makes it possible for unauthenticated attackers to manipulate prices, product information, and quantities for purchases made via the Stripe payment integration. | |
|
Contact Form by WPForms – Drag & Drop Form Builder for WordPress
vulnerable
|
Nov 13, 2024, 13:11:04 |
Min -
Max 1.9.2.1
|
The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.1.6. This is due to missing or incorrect nonce validation on the process_admin_ui function. This makes it possible for unauthenticated attackers to delete WPForm logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |
|
Contact Form by WPForms – Drag & Drop Form Builder for WordPress
vulnerable
|
Feb 05, 2025, 18:02:22 |
Min -
Max 1.9.3.2
|
The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘fieldHTML’ parameter in all versions up to, and including, 1.9.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |
|
Contact Form by WPForms – Drag & Drop Form Builder for WordPress
vulnerable
|
May 10, 2025, 22:05:43 |
Min -
Max 1.9.5.1
|
The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the start_timestamp parameter in all versions up to, and including, 1.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |
|
Contact Form by WPForms – Drag & Drop Form Builder for WordPress
vulnerable
|
Jun 02, 2026, 21:06:55 |
Min -
Max 1.10.0.5
|
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More [wpforms-lite] < 1.10.0.5 CVE-2026-48835 | |
|
Contact Form by WPForms – Drag & Drop Form Builder for WordPress
vulnerable
|
Jan 09, 2025, 03:01:59 |
Min -
Max 1.9.2.3
|
Missing Authorization vulnerability in WPForms Contact Form by WPForms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through 1.9.2.2. | |
|
Contact Form by WPForms – Drag & Drop Form Builder for WordPress
vulnerable
|
Dec 25, 2024, 17:12:02 |
Min -
Max 1.9.2.3
|
The WPForms WordPress plugin before 1.9.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |
|
Contact Form by WPForms – Drag & Drop Form Builder for WordPress
vulnerable
|
Nov 20, 2024, 16:11:22 |
Min -
Max 1.9.1.6
|
The WPForms WordPress plugin before 1.9.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |
|
Contact Form by WPForms – Drag & Drop Form Builder for WordPress
vulnerable
|
Mar 29, 2026, 03:03:34 |
Min -
Max 1.9.8.7
|
Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7. | |
|
Contact Form by WPForms – Drag & Drop Form Builder for WordPress
vulnerable
|
Mar 29, 2026, 03:03:34 |
Min -
Max 1.9.9.3
|
Missing Authorization vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through <= 1.9.9.3. | |
|
Contact Form by WPForms – Drag & Drop Form Builder for WordPress
vulnerable
|
Jan 27, 2026, 19:01:54 |
Min -
Max 1.7.8
|
WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser. | |
|
Contact Form by WPForms – Drag & Drop Form Builder for WordPress
vulnerable
|
Dec 11, 2024, 02:12:19 |
Min 1.8.4
Max 1.9.2.1
|
The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions. | |