| CVE-2025-11762 | HubSpot All-In-One Marketing - Forms, Popups, Live Chat <= 11.3.32 - Missing Authorization to Authenticated (Contributor+) Installed Plugin Disclosure | hubspotdev | HubSpot All-In-One Marketing – Forms, Popups, Live Chat | Medium | 4.3 | 2026-04-24 07:45:07 | Deep Dive |
| CVE-2026-5478 | Everest Forms <= 3.4.4 - Unauthenticated Arbitrary File Read and Deletion via Upload Field 'old_files' Parameter | wpeverest | Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | High | 8.1 | 2026-04-20 19:27:08 | Deep Dive |
| CVE-2026-4160 | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification | techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | Medium | 5.3 | 2026-04-16 13:27:09 | Deep Dive |
| CVE-2026-39657 | WordPress leadlovers forms plugin <= 1.0.2 - Broken Access Control vulnerability | leadlovers | leadlovers forms | - | - | 2026-04-08 08:30:36 | Deep Dive |
| CVE-2026-1396 | Magic Conversation For Gravity Forms <= 3.0.97 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes | magicplugins | Magic Conversation For Gravity Forms | Medium | 6.4 | 2026-04-08 08:23:44 | Deep Dive |
| CVE-2026-3296 | Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata | wpeverest | Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | Critical | 9.8 | 2026-04-08 01:24:44 | Deep Dive |
| CVE-2026-4406 | Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter | Gravity Forms | Gravity Forms | Medium | 4.7 | 2026-04-07 23:25:28 | Deep Dive |
| CVE-2026-4394 | Gravity Forms <= 2.9.30 - Unauthenticated Stored Cross-Site Scripting via Credit Card 'Card Type' Sub-Field | Gravity Forms | Gravity Forms | Medium | 6.1 | 2026-04-07 23:25:28 | Deep Dive |
| CVE-2026-0740 | Ninja Forms - File Upload <= 3.3.26 - Unauthenticated Arbitrary File Upload | SaturdayDrive | Ninja Forms - File Uploads | Critical | 9.8 | 2026-04-07 04:25:59 | Deep Dive |
| CVE-2026-3831 | Database for Contact Form 7, WPforms, Elementor forms <= 1.4.9 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Shortcode | crmperks | Database for Contact Form 7, WPforms, Elementor forms | Medium | 4.3 | 2026-04-01 01:24:21 | Deep Dive |
| CVE-2026-3139 | User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.15.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Post Author Reassignment via Avatar Field | cozmoslabs | User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor | Medium | 4.3 | 2026-03-31 11:18:56 | Deep Dive |
| CVE-2026-3300 | Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field | WPEverest | Everest Forms Pro | Critical | 9.8 | 2026-03-31 01:24:58 | Deep Dive |
| CVE-2026-1307 | Ninja Forms <= 3.14.1 - Authenticated (Contributor+) Sensitive Information Disclosure via Block Editor Token | kstover | Ninja Forms – The Contact Form Builder That Grows With You | Medium | 6.5 | 2026-03-28 06:46:09 | Deep Dive |
| CVE-2026-4281 | FormLift for Infusionsoft Web Forms <= 7.5.21 - Missing Authorization to Unauthenticated Infusionsoft Connection Hijack via OAuth Connection Flow | trainingbusinesspros | FormLift for Infusionsoft Web Forms | Medium | 5.3 | 2026-03-26 03:37:28 | Deep Dive |
| CVE-2026-23636 | Kiteworks Secure Data Forms is vulnerable to an Unrestricted Upload of File with Dangerous Type | kiteworks | Secure Data Forms | Medium | 5.5 | 2026-03-25 16:58:36 | Deep Dive |
| CVE-2026-23635 | Kiteworks Secure Data Forms has a potential Unprotected Transport of Credentials | kiteworks | Secure Data Forms | Medium | 6.5 | 2026-03-25 16:57:19 | Deep Dive |
| CVE-2026-32527 | WordPress WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.5 - Broken Access Control vulnerability | CRM Perks | WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms | 中危 | - | 2026-03-25 16:15:09 | Deep Dive |
| CVE-2026-25430 | WordPress Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.2.2 - Broken Access Control vulnerability | CRM Perks | Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms | Medium | 6.5 | 2026-03-25 16:14:49 | Deep Dive |
| CVE-2026-24363 | WordPress WP Cost Estimation & Payment Forms Builder plugin < 10.3.0 - Broken Access Control vulnerability | loopus | WP Cost Estimation & Payment Forms Builder | High | 7.5 | 2026-03-25 16:14:31 | Deep Dive |
| CVE-2026-24750 | Kiteworks Secure Data Forms vulnerable to Cross-site Scripting | kiteworks | Secure Data Forms | High | 7.6 | 2026-03-25 15:22:17 | Deep Dive |