| CVE-2026-2568 | WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.5 - Unauthenticated Stored Cross-Site Scripting | crmperks | WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms | High | 7.2 | 2026-03-03 09:24:12 | Deep Dive |
| CVE-2025-68856 | WordPress Mopinion Feedback Form plugin <= 1.1.1 - Reflected Cross Site Scripting (XSS) vulnerability | keeswolters | Mopinion Feedback Form | - | - | 2026-02-20 15:46:44 | Deep Dive |
| CVE-2026-25418 | WordPress Bit Form plugin <= 2.21.10 - SQL Injection vulnerability | Bit Apps | Bit Form | - | - | 2026-02-19 08:27:07 | Deep Dive |
| CVE-2026-25368 | WordPress Calculated Fields Form plugin <= 5.4.4.1 - Broken Access Control vulnerability | codepeople | Calculated Fields Form | - | - | 2026-02-19 08:27:00 | Deep Dive |
| CVE-2026-25320 | WordPress Elementor Contact Form DB plugin <= 2.1.3 - Broken Access Control vulnerability | Cool Plugins | Elementor Contact Form DB | - | - | 2026-02-19 08:26:55 | Deep Dive |
| CVE-2025-12845 | Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent 0.5.4 - 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Information Exposure and Privilege Escalation | essekia | Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent | High | 8.8 | 2026-02-19 03:25:18 | Deep Dive |
| CVE-2025-12172 | Mailchimp List Subscribe Form <= 2.0.0 - Cross-Site Request Forgery to Mailchimp List Change | mailchimp | Mailchimp List Subscribe Form | Medium | 4.3 | 2026-02-19 03:25:13 | Deep Dive |
| CVE-2026-1860 | Kali Forms <= 2.4.8 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Form Data Exposure | wpchill | Kali Forms — Contact Form & Drag-and-Drop Builder | Medium | 4.3 | 2026-02-18 07:25:41 | Deep Dive |
| CVE-2026-2002 | Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.50.2 - Authenticated (Administrator+) Stored Cross-Site Scripting | wpmudev | Forminator Forms – Contact Form, Payment Form & Custom Form Builder | Medium | 4.4 | 2026-02-17 04:35:45 | Deep Dive |
| CVE-2026-0753 | Super Simple Contact Form <= 1.6.2 - Reflected Cross-Site Scripting via 'sscf_name' Parameter | bitacre | Super Simple Contact Form | High | 7.2 | 2026-02-14 06:42:35 | Deep Dive |
| CVE-2026-2022 | Smart Forms <= 2.6.99 - Missing Authorization to Authenticated (Subscriber+) Campaign Data Exposure | edgarrojas | Smart Forms – when you need more than just a contact form | Medium | 4.3 | 2026-02-14 06:42:28 | Deep Dive |
| CVE-2026-0751 | Payment Page | Payment Form for Stripe <= 1.4.6 - Authenticated (Author+) Stored Cross-Site Scripting via 'pricing_plan_select_text_font_family' Parameter | brandonfire | Payment Page | Payment Form for Stripe | Medium | 6.4 | 2026-02-14 06:42:26 | Deep Dive |
| CVE-2025-14067 | Easy Form Builder <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Response Data Exposure | hassantafreshi | Easy Form Builder by WhiteStudio — Drag & Drop Form Builder | Medium | 5.3 | 2026-02-14 03:25:28 | Deep Dive |
| CVE-2025-13973 | StickEasy Protected Contact Form <= 1.0.1 - Unauthenticated Information Disclosure | kasuga16 | StickEasy Protected Contact Form | Medium | 5.3 | 2026-02-14 03:25:27 | Deep Dive |
| CVE-2026-2268 | Ninja Forms <= 3.14.0 - Unauthenticated Information Disclosure in nf_ajax_submit AJAX Action | kstover | Ninja Forms – The Contact Form Builder That Grows With You | High | 7.5 | 2026-02-10 09:26:05 | Deep Dive |
| CVE-2026-0996 | Fluent Forms <= 6.1.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via AI Form Builder Module | techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | Medium | 6.4 | 2026-02-10 05:29:42 | Deep Dive |
| CVE-2026-24945 | WordPress Ultimate Addons for Contact Form 7 plugin <= 3.5.34 - Broken Access Control vulnerability | Themefic | Ultimate Addons for Contact Form 7 | - | - | 2026-02-03 14:08:33 | Deep Dive |
| CVE-2026-1058 | Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via Hidden Field | 10web | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | High | 7.1 | 2026-02-03 06:38:06 | Deep Dive |
| CVE-2026-1065 | Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via SVG file | 10web | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | High | 7.2 | 2026-02-03 06:38:04 | Deep Dive |
| CVE-2026-1165 | Popup Box <= 6.1.1 - Cross-Site Request Forgery to Popup Status Change | ays-pro | Popup Box – Create Countdown, Coupon, Video, Contact Form Popups | Medium | 4.3 | 2026-01-31 14:22:29 | Deep Dive |