| CVE-2026-1908 | Integration with Hubspot Forms <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes | minnur | Integration with Hubspot Forms | Medium | 6.4 | 2026-03-21 03:26:59 | Deep Dive |
| CVE-2026-3584 | Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process | wpchill | Kali Forms — Contact Form & Drag-and-Drop Builder | Critical | 9.8 | 2026-03-20 21:25:11 | Deep Dive |
| CVE-2026-27070 | WordPress Everest Forms Pro plugin <= 1.9.12 - Cross Site Scripting (XSS) vulnerability | WPEverest | Everest Forms Pro | High | 7.1 | 2026-03-19 08:43:56 | Deep Dive |
| CVE-2026-1947 | NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id | webaways | NEX-Forms – Ultimate Forms Plugin for WordPress | High | 7.5 | 2026-03-15 01:19:06 | Deep Dive |
| CVE-2026-1948 | NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Authenticated (Subscriber+) License Deactivation via deactivate_license | webaways | NEX-Forms – Ultimate Forms Plugin for WordPress | Medium | 4.3 | 2026-03-14 03:24:14 | Deep Dive |
| CVE-2026-2888 | Formidable Forms <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter | strategy11team | Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder | Medium | 5.3 | 2026-03-13 08:25:17 | Deep Dive |
| CVE-2026-2890 | Formidable Forms <= 6.28 - Missing Authorization to Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse | strategy11team | Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder | High | 7.5 | 2026-03-13 07:23:40 | Deep Dive |
| CVE-2026-28803 | Open Forms possible to view submission details of other people than intended | open-formulieren | open-forms | Medium | 6.5 | 2026-03-11 15:52:08 | Deep Dive |
| CVE-2026-3492 | Gravity Forms <= 2.9.28.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Form Title | Gravity Forms | Gravity Forms | Medium | 6.4 | 2026-03-11 09:25:44 | Deep Dive |
| CVE-2026-1753 | Gutena Forms < 1.6.1 - Contributor+ Arbitrary Limited Options Update | Unknown | Gutena Forms | - | - | 2026-03-11 06:00:03 | Deep Dive |
| CVE-2026-2599 | Database for Contact Form 7, WPforms, Elementor forms <= 1.4.7 - Unauthenticated PHP Object Injection via 'download_csv' | crmperks | Database for Contact Form 7, WPforms, Elementor forms | Critical | 9.8 | 2026-03-05 12:26:06 | Deep Dive |
| CVE-2026-2899 | Fluent Forms Pro Add On Pack <= 6.1.17 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion | techjewel | Fluent Forms Pro Add On Pack | Medium | 6.5 | 2026-03-05 03:23:41 | Deep Dive |
| CVE-2026-2365 | Fluent Forms Pro <= 6.1.17 - Unauthenticated Stored Cross-Site Scripting via Draft Form Submission | techjewel | Fluent Forms Pro Add On Pack | High | 7.2 | 2026-03-05 03:23:41 | Deep Dive |
| CVE-2026-1674 | Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder <= 1.6.0 - Authenticated (Contributor+) Limited Options Update in save_gutena_forms_schema() | saadiqbal | Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder | Medium | 6.5 | 2026-03-04 11:22:31 | Deep Dive |
| CVE-2026-2568 | WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.5 - Unauthenticated Stored Cross-Site Scripting | crmperks | WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms | High | 7.2 | 2026-03-03 09:24:12 | Deep Dive |
| CVE-2026-2428 | Fluent Forms Pro Add On Pack <= 6.1.17 - Missing Authorization to Unauthenticated Payment Status modification | techjewel | Fluent Forms Pro Add On Pack | High | 7.5 | 2026-02-27 03:23:19 | Deep Dive |
| CVE-2026-27449 | Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints | umbraco | Umbraco.Engage.Forms | High | 7.5 | 2026-02-26 21:51:15 | Deep Dive |
| CVE-2026-22350 | WordPress PDF for Elementor Forms + Drag And Drop Template Builder plugin <= 6.3.1 - Broken Access Control vulnerability | add-ons.org | PDF for Elementor Forms + Drag And Drop Template Builder | Medium | 6.5 | 2026-02-20 15:47:01 | Deep Dive |
| CVE-2025-69326 | WordPress NEX-Forms plugin <= 9.1.7 - Reflected Cross Site Scripting (XSS) vulnerability | Basix | NEX-Forms | - | - | 2026-02-20 15:46:50 | Deep Dive |
| CVE-2025-69324 | WordPress NEX-Forms plugin <= 9.1.7 - Cross Site Scripting (XSS) vulnerability | Basix | NEX-Forms | - | - | 2026-02-20 15:46:49 | Deep Dive |