| CVE-2026-5478 | Everest Forms <= 3.4.4 - Unauthenticated Arbitrary File Read and Deletion via Upload Field 'old_files' Parameter | wpeverest | Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | High | 8.1 | 2026-04-20 19:27:08 | Deep Dive |
| CVE-2026-3330 | Form Maker by 10Web <= 1.15.40 - Authenticated (Administrator+) SQL Injection via 'ip_search' Parameter | 10web | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | Medium | 4.9 | 2026-04-17 03:36:44 | Deep Dive |
| CVE-2026-4160 | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification | techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | Medium | 5.3 | 2026-04-16 13:27:09 | Deep Dive |
| CVE-2026-4388 | Form Maker by 10Web <= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box | 10web | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | High | 7.2 | 2026-04-14 02:25:48 | Deep Dive |
| CVE-2026-3296 | Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata | wpeverest | Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | Critical | 9.8 | 2026-04-08 01:24:44 | Deep Dive |
| CVE-2026-1307 | Ninja Forms <= 3.14.1 - Authenticated (Contributor+) Sensitive Information Disclosure via Block Editor Token | kstover | Ninja Forms – The Contact Form Builder That Grows With You | Medium | 6.5 | 2026-03-28 06:46:09 | Deep Dive |
| CVE-2026-4987 | SureForms <= 2.5.2 - Unauthenticated Payment Amount Validation Bypass via 'form_id' | brainstormforce | SureForms – Contact Form, Payment Form & Other Custom Form Builder | High | 7.5 | 2026-03-28 01:25:46 | Deep Dive |
| CVE-2026-32532 | WordPress Contact Form & Lead Form Elementor Builder plugin <= 2.0.1 - Cross Site Scripting (XSS) vulnerability | ThemeHunk | Contact Form & Lead Form Elementor Builder | 中危 | - | 2026-03-25 16:15:10 | Deep Dive |
| CVE-2026-4373 | JetFormBuilder <= 3.5.6.2 - Unauthenticated Arbitrary File Read via Media Field | jetmonsters | JetFormBuilder — Dynamic Blocks Form Builder | High | 7.5 | 2026-03-21 06:45:14 | Deep Dive |
| CVE-2024-13785 | Contact Form, Survey, Quiz & Popup Form Builder – ARForms <= 1.7.2 - Unauthenticated Blind Arbitrary Shortcode Execution | reputeinfosystems | Contact Form, Survey, Quiz & Popup Form Builder – ARForms | Medium | 5.6 | 2026-03-21 03:26:54 | Deep Dive |
| CVE-2026-2440 | SurveyJS: Drag & Drop Form Builder <= 2.5.3 - Unauthenticated Stored Cross-Site Scripting | devsoftbaltic | SurveyJS: Drag & Drop Form Builder | High | 7.2 | 2026-03-21 03:26:31 | Deep Dive |
| CVE-2026-3584 | Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process | wpchill | Kali Forms — Contact Form & Drag-and-Drop Builder | Critical | 9.8 | 2026-03-20 21:25:11 | Deep Dive |
| CVE-2026-2888 | Formidable Forms <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter | strategy11team | Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder | Medium | 5.3 | 2026-03-13 08:25:17 | Deep Dive |
| CVE-2026-2890 | Formidable Forms <= 6.28 - Missing Authorization to Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse | strategy11team | Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder | High | 7.5 | 2026-03-13 07:23:40 | Deep Dive |
| CVE-2026-1454 | Responsive Contact Form Builder & Lead Generation Plugin <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting | themehunk | Lead Form Builder & Contact Form | High | 7.2 | 2026-03-11 08:24:46 | Deep Dive |
| CVE-2026-2707 | weForms <= 1.6.27 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Hidden Field Value via REST API | boldgrid | weForms – Easy Drag & Drop Contact Form Builder For WordPress | Medium | 6.4 | 2026-03-11 05:27:18 | Deep Dive |
| CVE-2026-1674 | Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder <= 1.6.0 - Authenticated (Contributor+) Limited Options Update in save_gutena_forms_schema() | saadiqbal | Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder | Medium | 6.5 | 2026-03-04 11:22:31 | Deep Dive |
| CVE-2026-1860 | Kali Forms <= 2.4.8 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Form Data Exposure | wpchill | Kali Forms — Contact Form & Drag-and-Drop Builder | Medium | 4.3 | 2026-02-18 07:25:41 | Deep Dive |
| CVE-2026-2002 | Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.50.2 - Authenticated (Administrator+) Stored Cross-Site Scripting | wpmudev | Forminator Forms – Contact Form, Payment Form & Custom Form Builder | Medium | 4.4 | 2026-02-17 04:35:45 | Deep Dive |
| CVE-2025-14067 | Easy Form Builder <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Response Data Exposure | hassantafreshi | Easy Form Builder by WhiteStudio — Drag & Drop Form Builder | Medium | 5.3 | 2026-02-14 03:25:28 | Deep Dive |