| CVE-2025-7697 | Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 - Unauthenticated PHP Object Injection via verify_field_val Function | crmperks | Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms | Critical | 9.8 | 2025-07-19 04:23:03 | Deep Dive |
| CVE-2025-7696 | Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.2.3 - Unauthenticated PHP Object Injection via verify_field_val Function | crmperks | Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms | Critical | 9.8 | 2025-07-19 04:23:02 | Deep Dive |
| CVE-2025-49289 | WordPress PDF for WPForms plugin <= 5.5.0 - Broken Access Control Vulnerability | add-ons.org | PDF for WPForms | Medium | 5.0 | 2025-06-06 12:53:44 | Deep Dive |
| CVE-2025-4659 | Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.4 - Unauthenticated Full Path Disclosure | crmperks | Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms | Medium | 5.3 | 2025-05-30 05:23:20 | Deep Dive |
| CVE-2025-3794 | WPForms Lite <= 1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'start_timestamp' Parameter | smub | WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More | Medium | 5.4 | 2025-05-09 22:22:13 | Deep Dive |
| CVE-2025-32269 | WordPress WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms Plugin <= 1.1.3 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability | CRM Perks | WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms | Medium | 4.3 | 2025-04-04 15:59:43 | Deep Dive |
| CVE-2025-30863 | WordPress Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.0.9 - Cross Site Request Forgery (CSRF) vulnerability | CRM Perks | Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms | Medium | 4.3 | 2025-03-27 10:55:33 | Deep Dive |
| CVE-2025-30767 | WordPress PDF for WPForms plugin <= 5.3.0 - Arbitrary Shortcode Execution vulnerability | add-ons.org | PDF for WPForms | Medium | 5.4 | 2025-03-27 10:54:37 | Deep Dive |
| CVE-2024-12164 | WPSyncSheets Lite For WPForms – WPForms Google Spreadsheet Addon <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Settings Reset | creativewerkdesigns | WPSyncSheets For WPForms – Google Sheets Connector for WPForms & Real‑Time Data Export | Medium | 4.3 | 2025-02-12 04:22:15 | Deep Dive |
| CVE-2024-13403 | WPForms Lite <= 1.9.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via fieldHTML Parameter | smub | WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More | Medium | 6.4 | 2025-02-04 08:21:07 | Deep Dive |
| CVE-2025-24708 | WordPress WP Dynamics CRM plugin <= 1.1.6 - Reflected Cross Site Scripting (XSS) vulnerability | CRM Perks | WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms | High | 7.1 | 2025-01-27 14:22:18 | Deep Dive |
| CVE-2024-12593 | PDF for WPForms + Drag and Drop Template Builder <= 4.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via yeepdf_dotab Shortcode | addonsorg | PDF for WPForms + Drag and Drop Template Builder | Medium | 6.4 | 2025-01-15 11:24:37 | Deep Dive |
| CVE-2024-56276 | WordPress WPForms Lite plugin <= 1.9.2.2 - Broken Access Control vulnerability | Syed Balkhi | Contact Form by WPForms | Medium | 4.3 | 2025-01-07 10:49:25 | Deep Dive |
| CVE-2024-11223 | WPForms < 1.9.2.3 - Admin+ Stored XSS | Unknown | WPForms | 中危 | - | 2024-12-26 06:00:09 | Deep Dive |
| CVE-2024-11205 | WPForms 1.8.4 - 1.9.2.1 - Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation | smub | WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More | High | 8.5 | 2024-12-10 04:23:41 | Deep Dive |
| CVE-2024-7056 | WPForms < 1.9.1.6 - Admin+ Stored XSS | Unknown | WPForms | - | - | 2024-11-25 06:00:15 | Deep Dive |
| CVE-2024-52347 | WordPress Website remote Install vor Gravity, WPForms, Formidable, Ninja, Caldera plugin <= 4.0 - Cross Site Scripting (XSS) vulnerability | wpwebsitecreator | Website remote Install vor Gravity, WPForms, Formidable, Ninja, Caldera | Medium | 6.5 | 2024-11-18 21:54:34 | Deep Dive |
| CVE-2024-10593 | WPForms – Easy Form Builder for WordPress <= 1.9.1.6 - Cross-Site Request Forgery (CSRF) to Plugin's Log Deletion | smub | WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More | Medium | 4.3 | 2024-11-13 02:33:17 | Deep Dive |
| CVE-2024-10016 | File Upload Types by WPForms <= 1.4.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload | jaredatch | File Upload Types by WPForms | Medium | 6.4 | 2024-10-25 08:34:40 | Deep Dive |
| CVE-2022-4974 | Freemius SDK <= 2.4.2 - Missing Authorization Checks | dashlabsltd | YASR – Yet Another Star Rating Plugin for WordPress | Medium | 6.3 | 2024-10-16 06:43:30 | Deep Dive |