| CVE-2026-2022 | Smart Forms <= 2.6.99 - Missing Authorization to Authenticated (Subscriber+) Campaign Data Exposure | edgarrojas | Smart Forms – when you need more than just a contact form | Medium | 4.3 | 2026-02-14 06:42:28 | Deep Dive |
| CVE-2025-13973 | StickEasy Protected Contact Form <= 1.0.1 - Unauthenticated Information Disclosure | kasuga16 | StickEasy Protected Contact Form | Medium | 5.3 | 2026-02-14 03:25:27 | Deep Dive |
| CVE-2026-2268 | Ninja Forms <= 3.14.0 - Unauthenticated Information Disclosure in nf_ajax_submit AJAX Action | kstover | Ninja Forms – The Contact Form Builder That Grows With You | High | 7.5 | 2026-02-10 09:26:05 | Deep Dive |
| CVE-2026-0996 | Fluent Forms <= 6.1.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via AI Form Builder Module | techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | Medium | 6.4 | 2026-02-10 05:29:42 | Deep Dive |
| CVE-2026-24945 | WordPress Ultimate Addons for Contact Form 7 plugin <= 3.5.34 - Broken Access Control vulnerability | Themefic | Ultimate Addons for Contact Form 7 | - | - | 2026-02-03 14:08:33 | Deep Dive |
| CVE-2026-1058 | Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via Hidden Field | 10web | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | High | 7.1 | 2026-02-03 06:38:06 | Deep Dive |
| CVE-2026-1065 | Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via SVG file | 10web | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | High | 7.2 | 2026-02-03 06:38:04 | Deep Dive |
| CVE-2026-1165 | Popup Box <= 6.1.1 - Cross-Site Request Forgery to Popup Status Change | ays-pro | Popup Box – Create Countdown, Coupon, Video, Contact Form Popups | Medium | 4.3 | 2026-01-31 14:22:29 | Deep Dive |
| CVE-2026-0825 | Database for Contact Form 7, WPforms, Elementor forms <= 1.4.5 - Missing Authorization to Unauthenticated Form Data Exfiltration via CSV Export | crmperks | Database for Contact Form 7, WPforms, Elementor forms | Medium | 5.3 | 2026-01-28 06:43:43 | Deep Dive |
| CVE-2026-0633 | MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor <= 4.1.0 - Unauthenticated Form Submission Exposure via Forgeable Cookie Value | roxnor | MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor | Low | 3.7 | 2026-01-24 08:26:36 | Deep Dive |
| CVE-2026-24559 | WordPress Integration for Contact Form 7 HubSpot plugin <= 1.4.3 - Sensitive Data Exposure vulnerability | CRM Perks | Integration for Contact Form 7 HubSpot | Medium | 5.3 | 2026-01-23 14:28:55 | Deep Dive |
| CVE-2026-24557 | WordPress Contact Form 7 GetResponse Extension plugin <= 1.0.8 - Sensitive Data Exposure vulnerability | WEN Solutions | Contact Form 7 GetResponse Extension | 中危 | - | 2026-01-23 14:28:54 | Deep Dive |
| CVE-2025-68046 | WordPress Contact Form & Lead Form Elementor Builder plugin <= 2.0.1 - Sensitive Data Exposure vulnerability | ThemeHunk | Contact Form & Lead Form Elementor Builder | - | - | 2026-01-22 16:52:06 | Deep Dive |
| CVE-2025-12825 | User Registration Using Contact Form 7 <= 2.5 - Authenticated (Subscriber+) Information Exposure | zealopensource | User Registration Using Contact Form 7 | Medium | 5.3 | 2026-01-17 04:34:02 | Deep Dive |
| CVE-2025-12718 | Quick Contact Form <= 8.2.6 - Unauthenticated Open Mail Relay | saadiqbal | Quick Contact Form | Medium | 5.8 | 2026-01-17 02:22:33 | Deep Dive |
| CVE-2025-14457 | Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.2 - Missing Authorization to Unauthenticated File Deletion | glenwpcoder | Drag and Drop Multiple File Upload for Contact Form 7 | Low | 3.7 | 2026-01-15 06:45:04 | Deep Dive |
| CVE-2025-13717 | Contact Form vCard Generator <= 2.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'wp-gvc-cf-download-id' Parameter | ashishajani | Contact Form vCard Generator | Medium | 5.3 | 2026-01-09 11:15:35 | Deep Dive |
| CVE-2025-14782 | Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.49.1 - Missing Authorization to Authenticated (Forminator User+) CSV Export | wpmudev | Forminator Forms – Contact Form, Payment Form & Custom Form Builder | Medium | 5.3 | 2026-01-09 06:34:53 | Deep Dive |
| CVE-2025-14984 | Gutenverse Form <= 2.3.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload | jegstudio | Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor | Medium | 6.4 | 2026-01-08 09:20:52 | Deep Dive |
| CVE-2025-13722 | Fluent Forms <= 6.1.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Creation via AI Builder | techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | Medium | 5.3 | 2026-01-07 09:21:06 | Deep Dive |