| CVE-2026-25430 | WordPress Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.2.2 - Broken Access Control vulnerability | CRM Perks | Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms | Medium | 6.5 | 2026-03-25 16:14:49 | Deep Dive |
| CVE-2026-25339 | WordPress Contact Form by WPForms plugin <= 1.9.8.7 - Sensitive Data Exposure vulnerability | Syed Balkhi | Contact Form by WPForms | 中危 | - | 2026-03-25 16:14:42 | Deep Dive |
| CVE-2024-13785 | Contact Form, Survey, Quiz & Popup Form Builder – ARForms <= 1.7.2 - Unauthenticated Blind Arbitrary Shortcode Execution | reputeinfosystems | Contact Form, Survey, Quiz & Popup Form Builder – ARForms | Medium | 5.6 | 2026-03-21 03:26:54 | Deep Dive |
| CVE-2026-3584 | Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process | wpchill | Kali Forms — Contact Form & Drag-and-Drop Builder | Critical | 9.8 | 2026-03-20 21:25:11 | Deep Dive |
| CVE-2026-32460 | WordPress Ultimate Addons for Contact Form 7 plugin <= 3.5.36 - Cross Site Scripting (XSS) vulnerability | Themefic | Ultimate Addons for Contact Form 7 | 中危 | - | 2026-03-13 11:42:23 | Deep Dive |
| CVE-2026-32446 | WordPress Contact Form by WPForms plugin <= 1.9.9.3 - Broken Access Control vulnerability | Syed Balkhi | Contact Form by WPForms | 中危 | - | 2026-03-13 11:42:21 | Deep Dive |
| CVE-2026-32433 | WordPress CP Contact Form with Paypal plugin <= 1.3.61 - SQL Injection vulnerability | codepeople | CP Contact Form with Paypal | 中危 | - | 2026-03-13 11:42:18 | Deep Dive |
| CVE-2026-2888 | Formidable Forms <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter | strategy11team | Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder | Medium | 5.3 | 2026-03-13 08:25:17 | Deep Dive |
| CVE-2026-2890 | Formidable Forms <= 6.28 - Missing Authorization to Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse | strategy11team | Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder | High | 7.5 | 2026-03-13 07:23:40 | Deep Dive |
| CVE-2026-1454 | Responsive Contact Form Builder & Lead Generation Plugin <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting | themehunk | Lead Form Builder & Contact Form | High | 7.2 | 2026-03-11 08:24:46 | Deep Dive |
| CVE-2026-2707 | weForms <= 1.6.27 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Hidden Field Value via REST API | boldgrid | weForms – Easy Drag & Drop Contact Form Builder For WordPress | Medium | 6.4 | 2026-03-11 05:27:18 | Deep Dive |
| CVE-2026-3459 | Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.5 - Unauthenticated Arbitrary File Upload | glenwpcoder | Drag and Drop Multiple File Upload for Contact Form 7 | High | 8.1 | 2026-03-05 18:25:46 | Deep Dive |
| CVE-2026-2599 | Database for Contact Form 7, WPforms, Elementor forms <= 1.4.7 - Unauthenticated PHP Object Injection via 'download_csv' | crmperks | Database for Contact Form 7, WPforms, Elementor forms | Critical | 9.8 | 2026-03-05 12:26:06 | Deep Dive |
| CVE-2026-1674 | Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder <= 1.6.0 - Authenticated (Contributor+) Limited Options Update in save_gutena_forms_schema() | saadiqbal | Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder | Medium | 6.5 | 2026-03-04 11:22:31 | Deep Dive |
| CVE-2026-2568 | WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.5 - Unauthenticated Stored Cross-Site Scripting | crmperks | WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms | High | 7.2 | 2026-03-03 09:24:12 | Deep Dive |
| CVE-2026-25320 | WordPress Elementor Contact Form DB plugin <= 2.1.3 - Broken Access Control vulnerability | Cool Plugins | Elementor Contact Form DB | - | - | 2026-02-19 08:26:55 | Deep Dive |
| CVE-2025-12845 | Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent 0.5.4 - 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Information Exposure and Privilege Escalation | essekia | Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent | High | 8.8 | 2026-02-19 03:25:18 | Deep Dive |
| CVE-2026-1860 | Kali Forms <= 2.4.8 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Form Data Exposure | wpchill | Kali Forms — Contact Form & Drag-and-Drop Builder | Medium | 4.3 | 2026-02-18 07:25:41 | Deep Dive |
| CVE-2026-2002 | Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.50.2 - Authenticated (Administrator+) Stored Cross-Site Scripting | wpmudev | Forminator Forms – Contact Form, Payment Form & Custom Form Builder | Medium | 4.4 | 2026-02-17 04:35:45 | Deep Dive |
| CVE-2026-0753 | Super Simple Contact Form <= 1.6.2 - Reflected Cross-Site Scripting via 'sscf_name' Parameter | bitacre | Super Simple Contact Form | High | 7.2 | 2026-02-14 06:42:35 | Deep Dive |