| CVE-2026-2268 | Ninja Forms <= 3.14.0 - Unauthenticated Information Disclosure in nf_ajax_submit AJAX Action | kstover | Ninja Forms – The Contact Form Builder That Grows With You | High | 7.5 | 2026-02-10 09:26:05 | Deep Dive |
| CVE-2026-0996 | Fluent Forms <= 6.1.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via AI Form Builder Module | techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | Medium | 6.4 | 2026-02-10 05:29:42 | Deep Dive |
| CVE-2026-1058 | Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via Hidden Field | 10web | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | High | 7.1 | 2026-02-03 06:38:06 | Deep Dive |
| CVE-2026-1065 | Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via SVG file | 10web | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | High | 7.2 | 2026-02-03 06:38:04 | Deep Dive |
| CVE-2025-13205 | SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 2.5.2 - Cross-Site Request Forgery to Survey Cloning | devsoftbaltic | SurveyJS: Drag & Drop Form Builder | Medium | 4.3 | 2026-01-24 09:08:09 | Deep Dive |
| CVE-2025-13194 | SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 2.5.2 - Cross-Site Request Forgery to Survey Renaming | devsoftbaltic | SurveyJS: Drag & Drop Form Builder | Medium | 4.3 | 2026-01-24 09:08:08 | Deep Dive |
| CVE-2025-13139 | SurveyJS: Drag & Drop WordPress Form Builder <= 2.5.2 - Cross-Site Request Forgery to Survey Creation | devsoftbaltic | SurveyJS: Drag & Drop Form Builder | Medium | 4.3 | 2026-01-24 09:08:06 | Deep Dive |
| CVE-2026-0633 | MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor <= 4.1.0 - Unauthenticated Form Submission Exposure via Forgeable Cookie Value | roxnor | MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor | Low | 3.7 | 2026-01-24 08:26:36 | Deep Dive |
| CVE-2026-22472 | WordPress Easy Form Builder plugin <= 3.9.6 - Broken Access Control vulnerability | hassantafreshi | Easy Form Builder | Medium | 4.3 | 2026-01-22 16:52:42 | Deep Dive |
| CVE-2025-68046 | WordPress Contact Form & Lead Form Elementor Builder plugin <= 2.0.1 - Sensitive Data Exposure vulnerability | ThemeHunk | Contact Form & Lead Form Elementor Builder | - | - | 2026-01-22 16:52:06 | Deep Dive |
| CVE-2025-12178 | SpiceForms Form Builder <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode | aankit | SpiceForms Form Builder | Medium | 6.4 | 2026-01-14 05:28:12 | Deep Dive |
| CVE-2025-14976 | User Registration & Membership <= 4.4.8 - Cross-Site Request Forgery to Arbitrary Post Deletion | wpeverest | User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | Medium | 5.4 | 2026-01-10 08:22:57 | Deep Dive |
| CVE-2025-14782 | Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.49.1 - Missing Authorization to Authenticated (Forminator User+) CSV Export | wpmudev | Forminator Forms – Contact Form, Payment Form & Custom Form Builder | Medium | 5.3 | 2026-01-09 06:34:53 | Deep Dive |
| CVE-2025-14984 | Gutenverse Form <= 2.3.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload | jegstudio | Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor | Medium | 6.4 | 2026-01-08 09:20:52 | Deep Dive |
| CVE-2025-13722 | Fluent Forms <= 6.1.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Creation via AI Builder | techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | Medium | 5.3 | 2026-01-07 09:21:06 | Deep Dive |
| CVE-2025-13531 | Stylish Order Form Builder <= 1.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'product_name' Parameter | hayyatapps | Stylish Order Form Builder | Medium | 6.4 | 2026-01-07 08:21:51 | Deep Dive |
| CVE-2025-12449 | aBlocks – WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification | kodezen | aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder | Medium | 5.4 | 2026-01-07 07:17:34 | Deep Dive |
| CVE-2025-14901 | Bit Form – Contact Form Plugin <= 2.21.6 - Missing Authorization to Unauthenticated Workflow Replay | bitpressadmin | Bit Form – Custom Contact Form, Multi Step, Conversational Form & Payment Form builder | Medium | 6.5 | 2026-01-07 06:35:58 | Deep Dive |
| CVE-2025-14855 | SureForms <= 2.2.0 - Unauthenticated Stored Cross-Site Scripting | brainstormforce | SureForms – Contact Form, Payment Form & Other Custom Form Builder | High | 7.2 | 2025-12-21 07:31:10 | Deep Dive |
| CVE-2025-11924 | Ninja Forms – The Contact Form Builder That Grows With You <= 3.13.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via Unscoped Bearer Token | kstover | Ninja Forms – The Contact Form Builder That Grows With You | High | 7.5 | 2025-12-17 06:42:31 | Deep Dive |