| CVE-2025-13531 | Stylish Order Form Builder <= 1.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'product_name' Parameter | hayyatapps | Stylish Order Form Builder | Medium | 6.4 | 2026-01-07 08:21:51 | Deep Dive |
| CVE-2025-12449 | aBlocks – WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification | kodezen | aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder | Medium | 5.4 | 2026-01-07 07:17:34 | Deep Dive |
| CVE-2025-14842 | Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.2 - Unauthenticated Limited Arbitrary File Upload | glenwpcoder | Drag and Drop Multiple File Upload for Contact Form 7 | Medium | 6.1 | 2026-01-07 06:36:04 | Deep Dive |
| CVE-2025-13657 | HelpDesk contact form plugin <= 1.1.5 - Cross-Site Request Forgery to Settings Update via handle_query_args | helpdeskcom | HelpDesk Contact Form | Medium | 4.3 | 2026-01-07 06:36:00 | Deep Dive |
| CVE-2025-14901 | Bit Form – Contact Form Plugin <= 2.21.6 - Missing Authorization to Unauthenticated Workflow Replay | bitpressadmin | Bit Form – Custom Contact Form, Multi Step, Conversational Form & Payment Form builder | Medium | 6.5 | 2026-01-07 06:35:58 | Deep Dive |
| CVE-2025-14996 | AS Password Field In Default Registration Form <= 2.0.0 - Unauthenticated Privilege Escalation via Account Takeover | aksharsoftsolutions | AS Password Field In Default Registration Form | Critical | 9.8 | 2026-01-06 04:31:55 | Deep Dive |
| CVE-2025-13409 | Form Vibes – Database Manager for Forms <= 1.4.13 - Authenticated (Admin+) SQL Injection | wpvibes | Form Vibes – Database Manager for Forms | Medium | 4.9 | 2026-01-06 03:21:38 | Deep Dive |
| CVE-2023-51513 | WordPress Geo Controller plugin <= 8.5.2 - Cross Site Scripting (XSS) vulnerability | INTINITUM FORM | Geo Controller | Medium | 6.5 | 2026-01-05 13:30:44 | Deep Dive |
| CVE-2025-14428 | My Sticky Elements <= 2.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Bulk Lead Deletion | premio | All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements | Medium | 4.3 | 2026-01-01 16:19:31 | Deep Dive |
| CVE-2025-62134 | WordPress Contact Form Widget plugin <= 1.5.1 - Cross Site Request Forgery (CSRF) vulnerability | A WP Life | Contact Form Widget | Medium | 5.4 | 2025-12-31 13:53:35 | Deep Dive |
| CVE-2025-69008 | WordPress Inboxify Sign Up Form plugin <= 1.0.4 - Cross Site Scripting (XSS) vulnerability | Inboxify | Inboxify Sign Up Form | Medium | 5.9 | 2025-12-30 10:47:53 | Deep Dive |
| CVE-2025-68989 | WordPress Contact Form 7 Extension For Mailchimp plugin <= 0.9.68 - Sensitive Data Exposure vulnerability | Renzo Johnson | contact-form-7-mailchimp-extension | Medium | 4.3 | 2025-12-30 10:47:50 | Deep Dive |
| CVE-2025-68590 | WordPress Integration for Contact Form 7 HubSpot plugin <= 1.4.2 - SQL Injection vulnerability | CRM Perks | Integration for Contact Form 7 HubSpot | High | 7.6 | 2025-12-24 13:10:43 | Deep Dive |
| CVE-2025-68569 | WordPress WP Time Slots Booking Form plugin <= 1.2.39 - Broken Access Control vulnerability | codepeople | WP Time Slots Booking Form | Medium | 6.5 | 2025-12-24 13:10:37 | Deep Dive |
| CVE-2025-68511 | WordPress Gutenverse Form plugin <= 2.3.1 - Broken Access Control vulnerability | Jegstudio | Gutenverse Form | Medium | 6.5 | 2025-12-24 12:31:22 | Deep Dive |
| CVE-2025-14800 | Redirection for Contact Form 7 <= 3.2.7 - Unauthenticated Arbitrary File Copy via move_file_to_upload | themeisle | Redirection for Contact Form 7 | High | 8.1 | 2025-12-21 07:31:11 | Deep Dive |
| CVE-2025-14855 | SureForms <= 2.2.0 - Unauthenticated Stored Cross-Site Scripting | brainstormforce | SureForms – Contact Form, Payment Form & Other Custom Form Builder | High | 7.2 | 2025-12-21 07:31:10 | Deep Dive |
| CVE-2025-66117 | WordPress Easy Form plugin <= 2.7.8 - Broken Access Control vulnerability | Ays Pro | Easy Form | High | 7.5 | 2025-12-18 07:22:19 | Deep Dive |
| CVE-2025-64231 | WordPress WordPress Contact Form 7 PDF, Google Sheet & Database plugin <= 3.0.0 - Arbitrary File Upload vulnerability | RedefiningTheWeb | WordPress Contact Form 7 PDF, Google Sheet & Database | Critical | 9.9 | 2025-12-18 07:22:14 | Deep Dive |
| CVE-2025-60081 | WordPress PDF for Contact Form 7 plugin <= 6.5.0 - Deserialization of untrusted data vulnerability | add-ons.org | PDF for Contact Form 7 | High | 8.8 | 2025-12-18 07:22:07 | Deep Dive |