| CVE-2026-6810 | Booking Calendar Contact Form <= 1.2.63 - Authenticated (Subscriber+) Insecure Direct Object Reference to Calendar Takeover | codepeople | Booking Calendar Contact Form | Medium | 5.3 | 2026-04-24 05:29:38 | Deep Dive |
| CVE-2026-5364 | Drag and Drop File Upload for Contact Form 7 <= 1.1.3 - Unauthenticated Arbitrary File Upload via sanitize_file_name Bypass | addonsorg | Drag and Drop File Upload for Contact Form 7 | High | 8.1 | 2026-04-24 05:29:37 | Deep Dive |
| CVE-2026-5478 | Everest Forms <= 3.4.4 - Unauthenticated Arbitrary File Read and Deletion via Upload Field 'old_files' Parameter | wpeverest | Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | High | 8.1 | 2026-04-20 19:27:08 | Deep Dive |
| CVE-2026-5718 | Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass | glenwpcoder | Drag and Drop Multiple File Upload for Contact Form 7 | High | 8.1 | 2026-04-17 17:25:55 | Deep Dive |
| CVE-2026-5710 | Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Limited Arbitrary File Read via mfile Field | glenwpcoder | Drag and Drop Multiple File Upload for Contact Form 7 | High | 7.5 | 2026-04-17 17:25:55 | Deep Dive |
| CVE-2026-3330 | Form Maker by 10Web <= 1.15.40 - Authenticated (Administrator+) SQL Injection via 'ip_search' Parameter | 10web | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | Medium | 4.9 | 2026-04-17 03:36:44 | Deep Dive |
| CVE-2026-4160 | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification | techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | Medium | 5.3 | 2026-04-16 13:27:09 | Deep Dive |
| CVE-2026-4949 | ProfilePress <= 4.16.12 - Missing Authorization to Authenticated (Subscriber+) Inactive Membership Plan Subscription | properfraction | Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress | Medium | 4.3 | 2026-04-15 22:26:06 | Deep Dive |
| CVE-2026-40764 | WordPress Contact Form by WPForms plugin <= 1.10.0.2 - Cross Site Request Forgery (CSRF) vulnerability | Syed Balkhi | Contact Form by WPForms | 中危 | - | 2026-04-15 10:21:35 | Deep Dive |
| CVE-2026-6293 | Inquiry form to posts or pages <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'inq_header' Parameter | udamadu | Inquiry form to posts or pages | Medium | 4.3 | 2026-04-15 06:46:19 | Deep Dive |
| CVE-2026-4388 | Form Maker by 10Web <= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box | 10web | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | High | 7.2 | 2026-04-14 02:25:48 | Deep Dive |
| CVE-2025-15441 | Form Maker < 1.15.38 - SQL Injection | Unknown | Form Maker by 10Web | 中危 | - | 2026-04-13 06:00:11 | Deep Dive |
| CVE-2026-4979 | UsersWP <= 1.2.58 - Authenticated (Subscriber+) Server-Side Request Forgery via 'uwp_crop' Parameter | stiofansisland | UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP | Medium | 5.0 | 2026-04-11 01:25:00 | Deep Dive |
| CVE-2026-4977 | UsersWP <= 1.2.58 - Authenticated (Subscriber+) Restricted Usermeta Modification via 'htmlvar' Parameter | stiofansisland | UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP | Medium | 4.3 | 2026-04-10 01:25:01 | Deep Dive |
| CVE-2026-5742 | UsersWP <= 1.2.60 - Authenticated (Subscriber+) Stored Cross-Site Scripting via User Badge Link Substitution | stiofansisland | UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP | Medium | 6.4 | 2026-04-09 03:25:58 | Deep Dive |
| CVE-2026-5436 | MW WP Form <= 5.1.1 - Unauthenticated Arbitrary File Move via regenerate_upload_file_keys | inc2734 | MW WP Form | High | 8.1 | 2026-04-08 20:25:10 | Deep Dive |
| CVE-2026-39707 | WordPress Accept PayPal Payments using Contact Form 7 plugin <= 4.0.4 - Broken Access Control vulnerability | ZealousWeb | Accept PayPal Payments using Contact Form 7 | - | - | 2026-04-08 08:30:48 | Deep Dive |
| CVE-2026-5169 | Inquiry form to posts or pages <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Form Header Field | udamadu | Inquiry form to posts or pages | Medium | 4.4 | 2026-04-08 06:43:39 | Deep Dive |
| CVE-2026-3296 | Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata | wpeverest | Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | Critical | 9.8 | 2026-04-08 01:24:44 | Deep Dive |
| CVE-2026-3309 | Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 - Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields | properfraction | Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress | Medium | 6.5 | 2026-04-04 11:16:15 | Deep Dive |