| CVE-2026-5364 | Drag and Drop File Upload for Contact Form 7 <= 1.1.3 - Unauthenticated Arbitrary File Upload via sanitize_file_name Bypass | addonsorg | Drag and Drop File Upload for Contact Form 7 | High | 8.1 | 2026-04-24 05:29:37 | Deep Dive |
| CVE-2026-5718 | Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass | glenwpcoder | Drag and Drop Multiple File Upload for Contact Form 7 | High | 8.1 | 2026-04-17 17:25:55 | Deep Dive |
| CVE-2026-5710 | Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Limited Arbitrary File Read via mfile Field | glenwpcoder | Drag and Drop Multiple File Upload for Contact Form 7 | High | 7.5 | 2026-04-17 17:25:55 | Deep Dive |
| CVE-2026-3330 | Form Maker by 10Web <= 1.15.40 - Authenticated (Administrator+) SQL Injection via 'ip_search' Parameter | 10web | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | Medium | 4.9 | 2026-04-17 03:36:44 | Deep Dive |
| CVE-2026-4388 | Form Maker by 10Web <= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box | 10web | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | High | 7.2 | 2026-04-14 02:25:48 | Deep Dive |
| CVE-2026-2509 | Page Builder: Pagelayer <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget Custom Attributes | softaculous | Page Builder: Pagelayer – Drag and Drop website builder | Medium | 6.4 | 2026-04-08 13:26:00 | Deep Dive |
| CVE-2026-2481 | Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'settings[js]' | beaverbuilder | Beaver Builder Page Builder – Drag and Drop Website Builder | Medium | 6.4 | 2026-04-08 11:16:58 | Deep Dive |
| CVE-2026-2442 | Pagelayer <= 2.0.7 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via 'email' | softaculous | Page Builder: Pagelayer – Drag and Drop website builder | Medium | 5.3 | 2026-03-28 09:27:10 | Deep Dive |
| CVE-2026-2440 | SurveyJS: Drag & Drop Form Builder <= 2.5.3 - Unauthenticated Stored Cross-Site Scripting | devsoftbaltic | SurveyJS: Drag & Drop Form Builder | High | 7.2 | 2026-03-21 03:26:31 | Deep Dive |
| CVE-2026-3584 | Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process | wpchill | Kali Forms — Contact Form & Drag-and-Drop Builder | Critical | 9.8 | 2026-03-20 21:25:11 | Deep Dive |
| CVE-2026-2707 | weForms <= 1.6.27 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Hidden Field Value via REST API | boldgrid | weForms – Easy Drag & Drop Contact Form Builder For WordPress | Medium | 6.4 | 2026-03-11 05:27:18 | Deep Dive |
| CVE-2026-2830 | WP All Import <= 4.0.0 - Reflected Cross-Site Scripting via 'filepath' | wpallimport | WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets | Medium | 6.1 | 2026-03-06 07:22:51 | Deep Dive |
| CVE-2026-3459 | Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.5 - Unauthenticated Arbitrary File Upload | glenwpcoder | Drag and Drop Multiple File Upload for Contact Form 7 | High | 8.1 | 2026-03-05 18:25:46 | Deep Dive |
| CVE-2026-22350 | WordPress PDF for Elementor Forms + Drag And Drop Template Builder plugin <= 6.3.1 - Broken Access Control vulnerability | add-ons.org | PDF for Elementor Forms + Drag And Drop Template Builder | Medium | 6.5 | 2026-02-20 15:47:01 | Deep Dive |
| CVE-2026-1582 | WP All Export <= 1.4.14 - Unauthenticated Sensitive Information Exposure via PHP Type Juggling | soflyy | WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel | Low | 3.7 | 2026-02-18 12:28:35 | Deep Dive |
| CVE-2026-1860 | Kali Forms <= 2.4.8 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Form Data Exposure | wpchill | Kali Forms — Contact Form & Drag-and-Drop Builder | Medium | 4.3 | 2026-02-18 07:25:41 | Deep Dive |
| CVE-2025-14067 | Easy Form Builder <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Response Data Exposure | hassantafreshi | Easy Form Builder by WhiteStudio — Drag & Drop Form Builder | Medium | 5.3 | 2026-02-14 03:25:28 | Deep Dive |
| CVE-2026-1231 | Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.0.5 - Authenticated (Custom+) Missing Authorization to Stored Cross-Site Scripting via Global Settings | beaverbuilder | Beaver Builder Page Builder – Drag and Drop Website Builder | Medium | 6.4 | 2026-02-11 01:23:34 | Deep Dive |
| CVE-2026-1058 | Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via Hidden Field | 10web | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | High | 7.1 | 2026-02-03 06:38:06 | Deep Dive |
| CVE-2026-1065 | Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via SVG file | 10web | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | High | 7.2 | 2026-02-03 06:38:04 | Deep Dive |