| CVE-2025-10489 | SureForms – Drag and Drop Form Builder for WordPress <= 1.12.0 - Missing Authorization to Authenticated (Contributor+) Form Creation | brainstormforce | SureForms – Contact Form, Payment Form & Other Custom Form Builder | Medium | 4.3 | 2025-09-20 04:27:55 | Deep Dive |
| CVE-2025-8280 | Contact Form 7 reCAPTCHA <= 1.2.0 - Reflected XSS via $_SERVER['REQUEST_URI'] | Unknown | Contact Form 7 reCAPTCHA | 中危 | - | 2025-09-12 06:00:06 | Deep Dive |
| CVE-2025-58989 | WordPress Dynamic Text Field For Contact Form 7 Plugin <= 1.0 - Cross Site Scripting (XSS) Vulnerability | silverplugins217 | Dynamic Text Field For Contact Form 7 | Medium | 6.5 | 2025-09-09 16:33:10 | Deep Dive |
| CVE-2025-58639 | WordPress Contact Form By Mega Forms Plugin <= 1.6.1 - Broken Access Control Vulnerability | Ali Khallad | Contact Form By Mega Forms | Medium | 5.4 | 2025-09-03 14:36:57 | Deep Dive |
| CVE-2025-9260 | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder 5.1.16 - 6.1.1 - Authenticated (Subscriber+) PHP Object Injection To Arbitrary File Read | techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | Medium | 6.5 | 2025-09-02 23:22:46 | Deep Dive |
| CVE-2025-8141 | Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated Arbitrary File Deletion | themeisle | Redirection for Contact Form 7 | High | 8.8 | 2025-08-20 01:44:37 | Deep Dive |
| CVE-2025-8289 | Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated PHP Object Injection via PHAR Deserialization | themeisle | Redirection for Contact Form 7 | High | 7.5 | 2025-08-20 01:44:36 | Deep Dive |
| CVE-2025-8145 | Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated PHP Object Injection | themeisle | Redirection for Contact Form 7 | High | 8.8 | 2025-08-20 01:44:36 | Deep Dive |
| CVE-2025-8464 | Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.0 - Directory Traversal via `wpcf7_guest_user_id` Cookie | glenwpcoder | Drag and Drop Multiple File Upload for Contact Form 7 | Medium | 5.3 | 2025-08-16 07:25:29 | Deep Dive |
| CVE-2025-6679 | Contact Form by Bit Form - Bit Form <= 2.20.3 - Unauthenticated Arbitrary File Upload | bitpressadmin | Bit Form – Custom Contact Form, Multi Step, Conversational Form & Payment Form builder | Critical | 9.8 | 2025-08-15 06:40:43 | Deep Dive |
| CVE-2025-54684 | WordPress Integration for Contact Form 7 and Constant Contact Plugin plugin <= 1.1.7 - Cross Site Scripting (XSS) Vulnerability | CRM Perks | Integration for Contact Form 7 and Constant Contact | Medium | 5.9 | 2025-08-14 10:34:47 | Deep Dive |
| CVE-2025-31007 | WordPress Billplz Addon for Contact Form 7 Plugin <= 1.2.0 - Cross Site Scripting (XSS) Vulnerability | Alvind | Billplz Addon for Contact Form 7 | High | 7.1 | 2025-08-14 10:34:28 | Deep Dive |
| CVE-2025-7384 | Database for Contact Form 7, WPforms, Elementor forms <= 1.4.3 - Unauthenticated PHP Object Injection to Arbitrary File Deletion | crmperks | Database for Contact Form 7, WPforms, Elementor forms | Critical | 9.8 | 2025-08-13 04:22:57 | Deep Dive |
| CVE-2025-8315 | WP Easy Contact <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via noaccess_msg Parameter | emarket-design | Simple Contact Form Plugin for WordPress – WP Easy Contact | Medium | 6.4 | 2025-08-05 06:39:48 | Deep Dive |
| CVE-2025-5684 | MetForm <= 4.0.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via `mf-template` DOM Element | roxnor | MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor | Medium | 6.4 | 2025-07-29 19:42:34 | Deep Dive |
| CVE-2025-7645 | Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) <= 3.2.8 - Unauthenticated Arbitrary File Deletion Triggered via Admin Form Submission Deletion | htplugins | Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) | High | 8.1 | 2025-07-22 06:38:50 | Deep Dive |
| CVE-2015-10137 | Website Contact Form With File Upload <= 1.3.4 - Arbitrary File Upload | N-Media | Website Contact Form With File Upload | Critical | 9.8 | 2025-07-22 01:44:29 | Deep Dive |
| CVE-2025-7697 | Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 - Unauthenticated PHP Object Injection via verify_field_val Function | crmperks | Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms | Critical | 9.8 | 2025-07-19 04:23:03 | Deep Dive |
| CVE-2025-7696 | Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.2.3 - Unauthenticated PHP Object Injection via verify_field_val Function | crmperks | Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms | Critical | 9.8 | 2025-07-19 04:23:02 | Deep Dive |
| CVE-2025-7638 | Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.45.0 - Authenticated (Administrator+) SQL Injection via `order_by` Parameter | wpmudev | Forminator Forms – Contact Form, Payment Form & Custom Form Builder | Medium | 4.9 | 2025-07-18 04:23:02 | Deep Dive |