| CVE-2025-14028 | Contact Us Simple Form <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings | bruterdregz | Contact Us Simple Form | Medium | 4.4 | 2026-01-07 09:20:54 | Deep Dive |
| CVE-2025-14842 | Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.2 - Unauthenticated Limited Arbitrary File Upload | glenwpcoder | Drag and Drop Multiple File Upload for Contact Form 7 | Medium | 6.1 | 2026-01-07 06:36:04 | Deep Dive |
| CVE-2025-13657 | HelpDesk contact form plugin <= 1.1.5 - Cross-Site Request Forgery to Settings Update via handle_query_args | helpdeskcom | HelpDesk Contact Form | Medium | 4.3 | 2026-01-07 06:36:00 | Deep Dive |
| CVE-2025-14901 | Bit Form – Contact Form Plugin <= 2.21.6 - Missing Authorization to Unauthenticated Workflow Replay | bitpressadmin | Bit Form – Custom Contact Form, Multi Step, Conversational Form & Payment Form builder | Medium | 6.5 | 2026-01-07 06:35:58 | Deep Dive |
| CVE-2025-14428 | My Sticky Elements <= 2.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Bulk Lead Deletion | premio | All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements | Medium | 4.3 | 2026-01-01 16:19:31 | Deep Dive |
| CVE-2025-62134 | WordPress Contact Form Widget plugin <= 1.5.1 - Cross Site Request Forgery (CSRF) vulnerability | A WP Life | Contact Form Widget | Medium | 5.4 | 2025-12-31 13:53:35 | Deep Dive |
| CVE-2025-68989 | WordPress Contact Form 7 Extension For Mailchimp plugin <= 0.9.68 - Sensitive Data Exposure vulnerability | Renzo Johnson | contact-form-7-mailchimp-extension | Medium | 4.3 | 2025-12-30 10:47:50 | Deep Dive |
| CVE-2025-68590 | WordPress Integration for Contact Form 7 HubSpot plugin <= 1.4.2 - SQL Injection vulnerability | CRM Perks | Integration for Contact Form 7 HubSpot | High | 7.6 | 2025-12-24 13:10:43 | Deep Dive |
| CVE-2025-14800 | Redirection for Contact Form 7 <= 3.2.7 - Unauthenticated Arbitrary File Copy via move_file_to_upload | themeisle | Redirection for Contact Form 7 | High | 8.1 | 2025-12-21 07:31:11 | Deep Dive |
| CVE-2025-14855 | SureForms <= 2.2.0 - Unauthenticated Stored Cross-Site Scripting | brainstormforce | SureForms – Contact Form, Payment Form & Other Custom Form Builder | High | 7.2 | 2025-12-21 07:31:10 | Deep Dive |
| CVE-2025-64231 | WordPress WordPress Contact Form 7 PDF, Google Sheet & Database plugin <= 3.0.0 - Arbitrary File Upload vulnerability | RedefiningTheWeb | WordPress Contact Form 7 PDF, Google Sheet & Database | Critical | 9.9 | 2025-12-18 07:22:14 | Deep Dive |
| CVE-2025-60081 | WordPress PDF for Contact Form 7 plugin <= 6.5.0 - Deserialization of untrusted data vulnerability | add-ons.org | PDF for Contact Form 7 | - | - | 2025-12-18 07:22:07 | Deep Dive |
| CVE-2025-10019 | WordPress Contact Form Email plugin <= 1.3.60 - Insecure Direct Object References (IDOR) vulnerability | codepeople | Contact Form Email | Medium | 6.5 | 2025-12-18 07:21:40 | Deep Dive |
| CVE-2025-11924 | Ninja Forms – The Contact Form Builder That Grows With You <= 3.13.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via Unscoped Bearer Token | kstover | Ninja Forms – The Contact Form Builder That Grows With You | High | 7.5 | 2025-12-17 06:42:31 | Deep Dive |
| CVE-2025-14074 | PDF for Contact Form 7 + Drag and Drop Template Builder <= 6.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Duplication | addonsorg | PDF for Contact Form 7 + Drag and Drop Template Builder | Medium | 4.3 | 2025-12-12 09:20:28 | Deep Dive |
| CVE-2025-14356 | Ultra Addons for Contact Form 7 <= 3.5.33 - Missing Authorization to Authenticated (Subscriber+) to Generate Form Submission PDF | themefic | Ultra Addons for Contact Form 7 | Medium | 4.3 | 2025-12-12 06:32:58 | Deep Dive |
| CVE-2025-13975 | Contact Form 7 with ChatWork <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'api_token' and 'roomid' Settings | izuchy | Contact Form 7 with ChatWork | Medium | 4.4 | 2025-12-12 03:21:03 | Deep Dive |
| CVE-2025-12834 | Accept Stripe Payments Using Contact Form 7 <= 3.1 - Reflected Cross-Site Scripting via failure_message | zealopensource | Accept Stripe Payments Using Contact Form 7 | Medium | 6.1 | 2025-12-12 03:20:59 | Deep Dive |
| CVE-2025-63068 | WordPress Contact Form 7 Dynamic Text Extension plugin <= 5.0.5 - Content Injection vulnerability | sevenspark | Contact Form 7 – Dynamic Text Extension | - | - | 2025-12-09 14:52:35 | Deep Dive |
| CVE-2025-63056 | WordPress Contact Form by BestWebSoft plugin <= 4.3.6 - Broken Access Control vulnerability | bestwebsoft | Contact Form by BestWebSoft | Medium | 4.3 | 2025-12-09 14:52:33 | Deep Dive |