CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-44231 – WordPress Contact Form Plugin <= 2.0.10 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-44231
29 Sep 2023 — Cross-Site Request Forgery (CSRF) vulnerability in NickDuncan Contact Form plugin <= 2.0.10 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento NickDuncan Contact Form en versiones <= 2.0.10. The Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.10. This is due to missing or incorrect nonce validation on the wpcf_styling_page() function. This makes it possible for unauthenticated attackers to modify the contact ... • https://patchstack.com/database/vulnerability/contact-form-ready/wordpress-contact-form-plugin-2-0-10-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24410 – WordPress FluentForm Plugin <= 4.3.25 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-24410
12 Jul 2023 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Contact Form - WPManageNinja LLC Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms fluentform allows SQL Injection.This issue affects Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms: from n/a through 4.3.25. Neutralización Inadecuada de Elementos Especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en el Co... • https://patchstack.com/database/vulnerability/fluentform/wordpress-fluentform-plugin-4-3-25-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-30500 – WordPress WPForms plugins - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2023-30500
20 Jun 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPForms WPForms Lite (wpforms-lite), WPForms WPForms Pro (wpforms) plugins <= 1.8.1.2 versions. The Contact Form by WPForms (Free and Premium) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.8.1.2 due to insufficient input sanitization and output escaping on debug data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can suc... • https://patchstack.com/database/vulnerability/wpforms-lite/wordpress-wpforms-lite-plugin-1-8-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2528 – Contact Form by Supsystic <= 1.7.24 - Cross-Site Request Forgery via AJAX action
https://notcve.org/view.php?id=CVE-2023-2528
16 May 2023 — The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.24. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/contact-form-by-supsystic/trunk/classes/frame.php?rev=2777737#L297 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0546 – FluentForms < 4.3.25 - Contributor+ Stored XSS via Custom HTML Form Field
https://notcve.org/view.php?id=CVE-2023-0546
20 Mar 2023 — The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the form. The FluentForms plugin for WrodPress is vulnerable to stored Cross-Site Scripting via custom form fields in versions up to, and including, 4.3.24. This makes it pos... • https://wpscan.com/vulnerability/078f33cd-0f5c-46fe-b858-2107a09c6b69 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3463 – FluentForm < 4.3.13 - CSV Injection
https://notcve.org/view.php?id=CVE-2022-3463
17 Oct 2022 — The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection El complemento de WordPress Contact Form anterior a 4.3.13 no valida ni escapa de los campos al exportar entradas de formulario como CSV, lo que genera una inyección de CSV. The Contact Form Plugin by FluentForm plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 4.3.12. This allows attackers to embed untrusted input into ... • https://wpscan.com/vulnerability/e2a59481-db45-4b8e-b17a-447303469364 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24381 – NinjaForms < 3.5.8.2 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24381
27 Sep 2021 — The Ninja Forms Contact Form WordPress plugin before 3.5.8.2 does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Ninja Forms Contact Form de WordPress versiones anteriores a 3.5.8.2, no sanea ni escapa del nombre de la clase personalizada del campo form creado, lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques d... • https://wpscan.com/vulnerability/e383fae6-e0da-4aba-bb62-adf51c01bf8d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-34620 – CSRF in WP Fluent Forms < 3.6.67 allows stored XSS and Privilege Escalation
https://notcve.org/view.php?id=CVE-2021-34620
16 Jun 2021 — The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions El plugin WP Fluent Forms versiones anteriores a 3.6.67, para WordPress es vulnerable a un ataque de tipo Cross-Site Request Forgery conllevando a una vulnerabilidad de tipo Cross-Site Scripting almacenada y una escalada de privilegios limitada debido a ... • https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Modules/Acl/Acl.php?rev=2196688 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 8%CPEs: 1EXPL: 4CVE-2021-24276 – Contact Form by Supsystic < 1.7.15 - Reflected Cross-Site scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24276
19 Apr 2021 — The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue El plugin de WordPress Contact Form by Supsystic versiones anteriores a 1.7.15, no saneaba el parámetro tab de su página options antes de generarlo en un atributo, conllevando a un problema de tipo Cross-Site Scripting reflejado WordPress Contact Form plugin version 1.7.14 suffers from a cross site scriptin... • https://packetstorm.news/files/id/164308 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 5CVE-2020-10385 – Contact Form by WPForms <= 1.5.8.2 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-10385
18 Feb 2020 — A stored cross-site scripting (XSS) vulnerability exists in the WPForms Contact Form (aka wpforms-lite) plugin before 1.5.9 for WordPress. Hay una vulnerabilidad de tipo cross-site scripting (XSS) almacenado en el plugin WPForms Contact Form (también se conoce como wpforms-lite) versiones anteriores a la versión 1.5.9 para WordPress. WordPress WPForms plugin version 1.5.8.2 suffers from a persistent cross site scripting vulnerability. • https://packetstorm.news/files/id/156910 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •