| CVE-2026-6810 | Booking Calendar Contact Form <= 1.2.63 - Authenticated (Subscriber+) Insecure Direct Object Reference to Calendar Takeover | codepeople | Booking Calendar Contact Form | Medium | 5.3 | 2026-04-24 05:29:38 | Deep Dive |
| CVE-2026-5364 | Drag and Drop File Upload for Contact Form 7 <= 1.1.3 - Unauthenticated Arbitrary File Upload via sanitize_file_name Bypass | addonsorg | Drag and Drop File Upload for Contact Form 7 | High | 8.1 | 2026-04-24 05:29:37 | Deep Dive |
| CVE-2026-5478 | Everest Forms <= 3.4.4 - Unauthenticated Arbitrary File Read and Deletion via Upload Field 'old_files' Parameter | wpeverest | Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | High | 8.1 | 2026-04-20 19:27:08 | Deep Dive |
| CVE-2026-5718 | Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass | glenwpcoder | Drag and Drop Multiple File Upload for Contact Form 7 | High | 8.1 | 2026-04-17 17:25:55 | Deep Dive |
| CVE-2026-5710 | Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Limited Arbitrary File Read via mfile Field | glenwpcoder | Drag and Drop Multiple File Upload for Contact Form 7 | High | 7.5 | 2026-04-17 17:25:55 | Deep Dive |
| CVE-2026-3330 | Form Maker by 10Web <= 1.15.40 - Authenticated (Administrator+) SQL Injection via 'ip_search' Parameter | 10web | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | Medium | 4.9 | 2026-04-17 03:36:44 | Deep Dive |
| CVE-2026-4160 | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification | techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | Medium | 5.3 | 2026-04-16 13:27:09 | Deep Dive |
| CVE-2026-40764 | WordPress Contact Form by WPForms plugin <= 1.10.0.2 - Cross Site Request Forgery (CSRF) vulnerability | Syed Balkhi | Contact Form by WPForms | 中危 | - | 2026-04-15 10:21:35 | Deep Dive |
| CVE-2026-4388 | Form Maker by 10Web <= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box | 10web | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | High | 7.2 | 2026-04-14 02:25:48 | Deep Dive |
| CVE-2026-39707 | WordPress Accept PayPal Payments using Contact Form 7 plugin <= 4.0.4 - Broken Access Control vulnerability | ZealousWeb | Accept PayPal Payments using Contact Form 7 | - | - | 2026-04-08 08:30:48 | Deep Dive |
| CVE-2026-3296 | Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata | wpeverest | Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | Critical | 9.8 | 2026-04-08 01:24:44 | Deep Dive |
| CVE-2026-1540 | Spam Protect for Contact Form 7 < 1.2.10 - Editor+ Remote Code Execution | Unknown | Spam Protect for Contact Form 7 | - | - | 2026-04-02 06:00:10 | Deep Dive |
| CVE-2026-3831 | Database for Contact Form 7, WPforms, Elementor forms <= 1.4.9 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Shortcode | crmperks | Database for Contact Form 7, WPforms, Elementor forms | Medium | 4.3 | 2026-04-01 01:24:21 | Deep Dive |
| CVE-2026-4257 | Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality | supsysticcom | Contact Form by Supsystic | Critical | 9.8 | 2026-03-30 21:26:10 | Deep Dive |
| CVE-2026-1307 | Ninja Forms <= 3.14.1 - Authenticated (Contributor+) Sensitive Information Disclosure via Block Editor Token | kstover | Ninja Forms – The Contact Form Builder That Grows With You | Medium | 6.5 | 2026-03-28 06:46:09 | Deep Dive |
| CVE-2026-4987 | SureForms <= 2.5.2 - Unauthenticated Payment Amount Validation Bypass via 'form_id' | brainstormforce | SureForms – Contact Form, Payment Form & Other Custom Form Builder | High | 7.5 | 2026-03-28 01:25:46 | Deep Dive |
| CVE-2026-32532 | WordPress Contact Form & Lead Form Elementor Builder plugin <= 2.0.1 - Cross Site Scripting (XSS) vulnerability | ThemeHunk | Contact Form & Lead Form Elementor Builder | 中危 | - | 2026-03-25 16:15:10 | Deep Dive |
| CVE-2026-32527 | WordPress WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.5 - Broken Access Control vulnerability | CRM Perks | WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms | 中危 | - | 2026-03-25 16:15:09 | Deep Dive |
| CVE-2026-32496 | WordPress Spam Protect for Contact Form 7 plugin <= 1.2.9 - Arbitrary File Deletion vulnerability | NYSL | Spam Protect for Contact Form 7 | 中危 | - | 2026-03-25 16:15:00 | Deep Dive |
| CVE-2026-32483 | WordPress Contact Form Email plugin <= 1.3.63 - Broken Access Control vulnerability | codepeople | Contact Form Email | 中危 | - | 2026-03-25 16:14:58 | Deep Dive |