| CVE-2025-13861 | HTML Forms – Simple WordPress Forms Plugin <= 1.6.0 - Unauthenticated Stored Cross-Site Scripting | linksoftware | HTML Forms – Simple WordPress Forms Plugin | Medium | 6.1 | 2025-12-17 04:31:31 | Deep Dive |
| CVE-2025-13610 | RegistrationMagic <= 6.0.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'RM_Forms' Shortcode | metagauss | RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login | Medium | 6.4 | 2025-12-15 14:25:11 | Deep Dive |
| CVE-2025-13993 | MailerLite – Signup forms (official) <= 1.7.16 - Authenticated (Administrator+) Stored Cross-Site Scripting | mailerlite | MailerLite – Signup forms (official) | Medium | 5.5 | 2025-12-12 09:20:29 | Deep Dive |
| CVE-2025-14344 | Multi Uploader for Gravity Forms <= 1.1.7 - Unauthenticated Arbitrary File Deletion | sh1zen | Multi Uploader for Gravity Forms | Critical | 9.8 | 2025-12-12 03:20:43 | Deep Dive |
| CVE-2025-62738 | WordPress Formstack Online Forms plugin <= 2.0.2 - Broken Access Control vulnerability | mmattax | Formstack Online Forms | - | - | 2025-12-09 14:52:23 | Deep Dive |
| CVE-2025-67587 | WordPress WP Gravity Forms FreshDesk Plugin plugin <= 1.3.5 - Open Redirection vulnerability | CRM Perks | WP Gravity Forms FreshDesk Plugin | Medium | 4.7 | 2025-12-09 14:14:17 | Deep Dive |
| CVE-2025-67468 | WordPress Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin <= 1.4.6 - Broken Access Control vulnerability | CRM Perks | Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms | Medium | 4.3 | 2025-12-09 14:13:56 | Deep Dive |
| CVE-2025-13748 | Fluent Forms <= 6.1.7 - Unauthenticated Insecure Direct Object Reference to Payment Status Tampering via submission_id | techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | Medium | 5.3 | 2025-12-06 06:39:09 | Deep Dive |
| CVE-2025-13140 | SurveyJS: Drag & Drop WordPress Form Builder <= 1.12.20 - Cross-Site Request Forgery to Survey Deletion | devsoftbaltic | SurveyJS: Drag & Drop Form Builder | Medium | 4.3 | 2025-12-02 06:40:25 | Deep Dive |
| CVE-2025-13136 | GSheetConnector For Ninja Forms <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) System Information Exposure | westerndeal | GSheetConnector For Ninja Forms | Medium | 4.3 | 2025-11-22 08:30:29 | Deep Dive |
| CVE-2025-13159 | Flo Forms – Easy Drag & Drop Form Builder <= 1.0.43 - Unauthenticated Stored Cross-Site Scripting via SVG Upload | flothemesplugins | Flo Forms – Easy Drag & Drop Form Builder | High | 7.1 | 2025-11-21 07:31:52 | Deep Dive |
| CVE-2025-13054 | User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.14.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode | cozmoslabs | User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor | Medium | 6.4 | 2025-11-19 05:45:12 | Deep Dive |
| CVE-2025-64515 | Open Forms prefill data in read-only components can be tampered | open-formulieren | open-forms | Medium | 4.3 | 2025-11-18 22:39:48 | Deep Dive |
| CVE-2025-12639 | wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions | for WooCommerce <= 1.2.2 - Missing Authorization to Sensitive Information Disclosure | sundayfanz | wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions | for WooCommerce | Medium | 4.3 | 2025-11-18 09:27:39 | Deep Dive |
| CVE-2025-12528 | Pie Forms for WP <= 1.6 - Unauthenticated Arbitrary File Upload | genetechproducts | Pie Forms — Drag & Drop Form Builder | High | 8.1 | 2025-11-18 08:27:31 | Deep Dive |
| CVE-2025-12974 | Gravity Forms <= 2.9.21.1 - Unauthenticated Arbitrary File Upload via Legacy Chunked Upload | Gravity Forms | Gravity Forms | High | 8.1 | 2025-11-18 03:27:07 | Deep Dive |
| CVE-2025-64264 | WordPress Popup addon for Ninja Forms plugin <= 3.5.1 - Cross Site Scripting (XSS) vulnerability | Aman | Popup addon for Ninja Forms | 中危 | - | 2025-11-13 09:24:29 | Deep Dive |
| CVE-2025-12125 | HTML Forms <= 1.5.5 - Authenticated (Admin+) Stored Cross-Site Scripting | linksoftware | HTML Forms – Simple WordPress Forms Plugin | Medium | 4.4 | 2025-11-08 03:27:51 | Deep Dive |
| CVE-2025-12352 | Gravity Forms <= 2.9.20 - Unauthenticated Arbitrary File Upload via 'copy_post_image' | Gravity Forms | Gravity Forms | Critical | 9.8 | 2025-11-07 04:28:54 | Deep Dive |
| CVE-2025-60197 | WordPress Simple Contact Forms plugin <= 1.6.4 - Local File Inclusion vulnerability | owenr88 | Simple Contact Forms | High | 8.1 | 2025-11-06 15:54:55 | Deep Dive |