| CVE-2025-10019 | WordPress Contact Form Email plugin <= 1.3.60 - Insecure Direct Object References (IDOR) vulnerability | codepeople | Contact Form Email | Medium | 6.5 | 2025-12-18 07:21:40 | Deep Dive |
| CVE-2025-11924 | Ninja Forms – The Contact Form Builder That Grows With You <= 3.13.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via Unscoped Bearer Token | kstover | Ninja Forms – The Contact Form Builder That Grows With You | High | 7.5 | 2025-12-17 06:42:31 | Deep Dive |
| CVE-2025-11991 | JetFormBuilder <= 3.5.3 - Missing Authorization to Unauthenticated Form Generation | jetmonsters | JetFormBuilder — Dynamic Blocks Form Builder | Medium | 5.3 | 2025-12-16 07:21:06 | Deep Dive |
| CVE-2025-13367 | User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin <= 4.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes | wpeverest | User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | Medium | 6.4 | 2025-12-15 14:25:10 | Deep Dive |
| CVE-2025-12696 | HelloLeads CRM Form Shortcode <= 1.0 - Unauthenticated Settings Reset | Unknown | HelloLeads CRM Form Shortcode | - | - | 2025-12-14 06:00:03 | Deep Dive |
| CVE-2025-14365 | Eyewear prescription form <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Category Deletion | dugudlabs | Eyewear prescription form | Medium | 5.3 | 2025-12-13 04:31:32 | Deep Dive |
| CVE-2025-14366 | Eyewear prescription form <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Product Creation | dugudlabs | Eyewear prescription form | Medium | 5.3 | 2025-12-13 04:31:21 | Deep Dive |
| CVE-2025-14074 | PDF for Contact Form 7 + Drag and Drop Template Builder <= 6.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Duplication | addonsorg | PDF for Contact Form 7 + Drag and Drop Template Builder | Medium | 4.3 | 2025-12-12 09:20:28 | Deep Dive |
| CVE-2025-14356 | Ultra Addons for Contact Form 7 <= 3.5.33 - Missing Authorization to Authenticated (Subscriber+) to Generate Form Submission PDF | themefic | Ultra Addons for Contact Form 7 | Medium | 4.3 | 2025-12-12 06:32:58 | Deep Dive |
| CVE-2025-13975 | Contact Form 7 with ChatWork <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'api_token' and 'roomid' Settings | izuchy | Contact Form 7 with ChatWork | Medium | 4.4 | 2025-12-12 03:21:03 | Deep Dive |
| CVE-2025-12834 | Accept Stripe Payments Using Contact Form 7 <= 3.1 - Reflected Cross-Site Scripting via failure_message | zealopensource | Accept Stripe Payments Using Contact Form 7 | Medium | 6.1 | 2025-12-12 03:20:59 | Deep Dive |
| CVE-2025-14393 | Wpik WordPress Basic Ajax Form <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting | awanhrp | Wpik WordPress Basic Ajax Form | Medium | 6.4 | 2025-12-12 03:20:41 | Deep Dive |
| CVE-2025-13642 | ProfilePress <= 4.16.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution | properfraction | Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress | Medium | 5.4 | 2025-12-09 15:23:48 | Deep Dive |
| CVE-2025-63068 | WordPress Contact Form 7 Dynamic Text Extension plugin <= 5.0.5 - Content Injection vulnerability | sevenspark | Contact Form 7 – Dynamic Text Extension | Medium | 5.3 | 2025-12-09 14:52:35 | Deep Dive |
| CVE-2025-63056 | WordPress Contact Form by BestWebSoft plugin <= 4.3.6 - Broken Access Control vulnerability | bestwebsoft | Contact Form by BestWebSoft | Medium | 4.3 | 2025-12-09 14:52:33 | Deep Dive |
| CVE-2025-63048 | WordPress ListingPro Lead Form plugin <= 1.0.7 - Cross Site Scripting (XSS) vulnerability | CridioStudio | ListingPro Lead Form | Medium | 6.5 | 2025-12-09 14:52:32 | Deep Dive |
| CVE-2025-63049 | WordPress ListingPro Lead Form plugin <= 1.0.7 - Broken Access Control vulnerability | CridioStudio | ListingPro Lead Form | Medium | 5.3 | 2025-12-09 14:52:32 | Deep Dive |
| CVE-2025-62109 | WordPress Geo Controller plugin <= 8.9.4 - Sensitive Data Exposure vulnerability | INFINITUM FORM | Geo Controller | Medium | 5.3 | 2025-12-09 14:52:21 | Deep Dive |
| CVE-2025-67577 | WordPress Easy Form Builder plugin <= 3.8.20 - Broken Access Control vulnerability | hassantafreshi | Easy Form Builder | Medium | 5.3 | 2025-12-09 14:14:14 | Deep Dive |
| CVE-2025-67468 | WordPress Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin <= 1.4.6 - Broken Access Control vulnerability | CRM Perks | Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms | Medium | 4.3 | 2025-12-09 14:13:56 | Deep Dive |