| CVE-2026-5478 | Everest Forms <= 3.4.4 - Unauthenticated Arbitrary File Read and Deletion via Upload Field 'old_files' Parameter | wpeverest | Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | High | 8.1 | 2026-04-20 19:27:08 | Deep Dive |
| CVE-2026-4160 | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification | techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | Medium | 5.3 | 2026-04-16 13:27:09 | Deep Dive |
| CVE-2026-3296 | Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata | wpeverest | Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | Critical | 9.8 | 2026-04-08 01:24:44 | Deep Dive |
| CVE-2024-13785 | Contact Form, Survey, Quiz & Popup Form Builder – ARForms <= 1.7.2 - Unauthenticated Blind Arbitrary Shortcode Execution | reputeinfosystems | Contact Form, Survey, Quiz & Popup Form Builder – ARForms | Medium | 5.6 | 2026-03-21 03:26:54 | Deep Dive |
| CVE-2026-2888 | Formidable Forms <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter | strategy11team | Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder | Medium | 5.3 | 2026-03-13 08:25:17 | Deep Dive |
| CVE-2026-2890 | Formidable Forms <= 6.28 - Missing Authorization to Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse | strategy11team | Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder | High | 7.5 | 2026-03-13 07:23:40 | Deep Dive |
| CVE-2026-1674 | Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder <= 1.6.0 - Authenticated (Contributor+) Limited Options Update in save_gutena_forms_schema() | saadiqbal | Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder | Medium | 6.5 | 2026-03-04 11:22:31 | Deep Dive |
| CVE-2026-0996 | Fluent Forms <= 6.1.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via AI Form Builder Module | techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | Medium | 6.4 | 2026-02-10 05:29:42 | Deep Dive |
| CVE-2026-0633 | MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor <= 4.1.0 - Unauthenticated Form Submission Exposure via Forgeable Cookie Value | roxnor | MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor | Low | 3.7 | 2026-01-24 08:26:36 | Deep Dive |
| CVE-2025-13722 | Fluent Forms <= 6.1.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Creation via AI Builder | techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | Medium | 5.3 | 2026-01-07 09:21:06 | Deep Dive |
| CVE-2025-13748 | Fluent Forms <= 6.1.7 - Unauthenticated Insecure Direct Object Reference to Payment Status Tampering via submission_id | techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | Medium | 5.3 | 2025-12-06 06:39:09 | Deep Dive |
| CVE-2025-9260 | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder 5.1.16 - 6.1.1 - Authenticated (Subscriber+) PHP Object Injection To Arbitrary File Read | techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | Medium | 6.5 | 2025-09-02 23:22:46 | Deep Dive |
| CVE-2025-5684 | MetForm <= 4.0.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via `mf-template` DOM Element | roxnor | MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor | Medium | 6.4 | 2025-07-29 19:42:34 | Deep Dive |
| CVE-2024-10504 | ARForms Builder < 1.7.1 - Unauthenticated Stored XSS | Unknown | Contact Form, Survey, Quiz & Popup Form Builder | - | - | 2025-05-15 20:06:44 | Deep Dive |
| CVE-2025-3615 | Fluent Forms <= 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting | techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | Medium | 6.4 | 2025-04-17 07:34:08 | Deep Dive |
| CVE-2025-3421 | Everest Forms <= 3.1.1 - Reflected Cross-Site Scripting | wpeverest | Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | Medium | 6.1 | 2025-04-11 12:42:25 | Deep Dive |
| CVE-2025-3422 | Everest Forms <= 3.1.1 - Authenticated (Subscriber+) Arbitrary Shortcode Execution | wpeverest | Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | Medium | 5.4 | 2025-04-11 12:42:24 | Deep Dive |
| CVE-2025-3439 | Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress <= 3.1.1 - Unauthenticated PHP Object Injection | wpeverest | Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | Critical | 9.8 | 2025-04-11 12:42:24 | Deep Dive |
| CVE-2024-13666 | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 5.2.12 - IP-Spoofing | techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | Medium | 5.3 | 2025-03-22 08:24:18 | Deep Dive |
| CVE-2025-1128 | Everest Forms <= 3.0.9.4 - Unauthenticated Arbitrary File Upload, Read, and Deletion | wpeverest | Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | Critical | 9.8 | 2025-02-25 06:58:31 | Deep Dive |