CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-68924
https://notcve.org/view.php?id=CVE-2025-68924
16 Jan 2026 — In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply a malicious WSDL (aka Webservice) URL as a data source for remote code execution. • https://github.com/advisories/GHSA-vrgw-pc9c-qrrc • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24775 – WordPress Forms <= 2.9.0 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-24775
13 Aug 2025 — Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms allows Upload a Web Shell to a Web Server. This issue affects Forms: from n/a through 2.9.0. La vulnerabilidad de carga sin restricciones de archivos con tipos peligrosos en Made I.T. Forms permite cargar un shell web a un servidor web. • https://patchstack.com/database/wordpress/plugin/forms-by-made-it/vulnerability/wordpress-forms-2-9-0-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2024-51791 – WordPress Forms plugin <= 2.8.0 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-51791
08 Nov 2024 — Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms allows Upload a Web Shell to a Web Server.This issue affects Forms: from n/a through 2.8.0. Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms forms-by-made-it allows Upload a Web Shell to a Web Server.This issue affects Forms: from n/a through <= 2.8.0. The Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2... • https://packetstorm.news/files/id/214233 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 14EXPL: 1CVE-2010-3260
https://notcve.org/view.php?id=CVE-2010-3260
27 Apr 2011 — oxf/xml/xerces/XercesSAXParserFactoryImpl.java in the xforms-server component in the XForms service in Orbeon Forms before 3.9 does not properly restrict DTDs in Ajax requests, which allows remote attackers to read arbitrary files or send HTTP requests to intranet servers via an entity declaration in conjunction with an entity reference, related to an "XML injection" issue. oxf/xml/xerces/XercesSAXParserFactoryImpl.java en el componente xforms-server en el servicio XForms en Orbeon Forms before v3.9 no rest... • http://wiki.orbeon.com/forms/doc/developer-guide/release-notes/39 • CWE-264: Permissions, Privileges, and Access Controls •