| CVE-2025-68863 | WordPress iContact for Gravity Forms plugin <= 1.3.2 - Reflected Cross Site Scripting (XSS) vulnerability | Zack Katz | iContact for Gravity Forms | - | - | 2026-02-20 15:46:44 | Deep Dive |
| CVE-2026-21627 | Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 – v6.0.37 for Joomla | tassos.gr | Novarain/Tassos Framework (plg_system_nrframework) | - | - | 2026-02-20 14:22:15 | Deep Dive |
| CVE-2026-22422 | WordPress Everest Forms plugin <= 3.4.1 - Arbitrary Shortcode Execution vulnerability | wpeverest | Everest Forms | - | - | 2026-02-19 08:26:48 | Deep Dive |
| CVE-2025-14444 | RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.6.9 - Unauthenticated Payment Bypass via rm_process_paypal_sdk_payment | metagauss | RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login | Medium | 5.3 | 2026-02-18 10:20:48 | Deep Dive |
| CVE-2026-1860 | Kali Forms <= 2.4.8 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Form Data Exposure | wpchill | Kali Forms — Contact Form & Drag-and-Drop Builder | Medium | 4.3 | 2026-02-18 07:25:41 | Deep Dive |
| CVE-2026-2002 | Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.50.2 - Authenticated (Administrator+) Stored Cross-Site Scripting | wpmudev | Forminator Forms – Contact Form, Payment Form & Custom Form Builder | Medium | 4.4 | 2026-02-17 04:35:45 | Deep Dive |
| CVE-2026-0557 | WP Data Access <= 5.5.63 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpda_app' Shortcode | peterschulznl | WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards | Medium | 6.4 | 2026-02-14 06:42:30 | Deep Dive |
| CVE-2026-2022 | Smart Forms <= 2.6.99 - Missing Authorization to Authenticated (Subscriber+) Campaign Data Exposure | edgarrojas | Smart Forms – when you need more than just a contact form | Medium | 4.3 | 2026-02-14 06:42:28 | Deep Dive |
| CVE-2026-2268 | Ninja Forms <= 3.14.0 - Unauthenticated Information Disclosure in nf_ajax_submit AJAX Action | kstover | Ninja Forms – The Contact Form Builder That Grows With You | High | 7.5 | 2026-02-10 09:26:05 | Deep Dive |
| CVE-2026-0996 | Fluent Forms <= 6.1.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via AI Form Builder Module | techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | Medium | 6.4 | 2026-02-10 05:29:42 | Deep Dive |
| CVE-2026-0632 | Fluent Forms Pro Add On Pack <= 6.1.12 - Authenticated (Subscriber+) Server-Side Request Forgery via 'saveDataSource' | techjewel | Fluent Forms Pro Add On Pack | Medium | 5.4 | 2026-02-09 11:22:36 | Deep Dive |
| CVE-2026-24985 | WordPress WP Forms Signature Contract Add-On plugin <= 1.8.2 - Broken Access Control to Notice Dismissal vulnerability | approveme | WP Forms Signature Contract Add-On | - | - | 2026-02-03 14:08:36 | Deep Dive |
| CVE-2025-15510 | NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.8 - Missing Authorization to Unauthenticated Sensitive Information Exposure | webaways | NEX-Forms – Ultimate Forms Plugin for WordPress | Medium | 5.3 | 2026-01-31 01:23:03 | Deep Dive |
| CVE-2026-24687 | Umbraco.Forms has path traversal and file enumeration vulnerability in Linux/Mac | umbraco | Umbraco.Forms.Issues | - | - | 2026-01-29 19:57:24 | Deep Dive |
| CVE-2026-1056 | Snow Monkey Forms <= 12.0.3 - Unauthenticated Arbitrary File Deletion via Path Traversal | inc2734 | Snow Monkey Forms | Critical | 9.8 | 2026-01-28 12:28:37 | Deep Dive |
| CVE-2026-1054 | RegistrationMagic <= 6.0.7.4 - Missing Authorization to Unauthenticated Arbitrary Settings Modification | metagauss | RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login | Medium | 5.3 | 2026-01-28 07:27:35 | Deep Dive |
| CVE-2026-0825 | Database for Contact Form 7, WPforms, Elementor forms <= 1.4.5 - Missing Authorization to Unauthenticated Form Data Exfiltration via CSV Export | crmperks | Database for Contact Form 7, WPforms, Elementor forms | Medium | 5.3 | 2026-01-28 06:43:43 | Deep Dive |
| CVE-2026-1244 | Forms Bridge <= 4.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute | codeccoop | Forms Bridge – Infinite integrations | Medium | 6.4 | 2026-01-28 06:43:42 | Deep Dive |
| CVE-2025-14348 | weMail <= 2.0.7 - Insufficient Authorization via x-wemail-user Header to Sensitive Information Disclosure | wedevs | weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce | Medium | 5.3 | 2026-01-20 04:35:46 | Deep Dive |
| CVE-2025-15403 | RegistrationMagic <= 6.0.7.1 - Unauthenticated Privilege Escalation via admin_order | metagauss | RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login | Critical | 9.8 | 2026-01-17 02:22:32 | Deep Dive |