CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30767 – WordPress PDF for WPForms plugin <= 5.3.0 - Arbitrary Shortcode Execution vulnerability
https://notcve.org/view.php?id=CVE-2025-30767
26 Mar 2025 — Missing Authorization vulnerability in add-ons.org PDF for WPForms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF for WPForms: from n/a through 5.3.0. The The PDF for WPForms + Drag and Drop Template Builder plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.3.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This make... • https://patchstack.com/database/wordpress/plugin/pdf-for-wpforms/vulnerability/wordpress-pdf-for-wpforms-plugin-5-3-0-arbitrary-shortcode-execution-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56276 – WordPress WPForms Lite plugin <= 1.9.2.2 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-56276
03 Jan 2025 — Missing Authorization vulnerability in WPForms Contact Form by WPForms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through 1.9.2.2. La vulnerabilidad de autorización faltante en WPForms Contact Form de WPForms permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta al formulario de contacto de WPForms: desde n/a hasta 1.9.2.2. The WPForms – Easy Form Builder for WordPress – ... • https://patchstack.com/database/wordpress/plugin/wpforms-lite/vulnerability/wordpress-wpforms-lite-plugin-1-9-2-2-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-52209 – WordPress WPForms User Registration plugin <= 2.1.0 - Authenticated Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2023-52209
18 Jul 2024 — Improper Privilege Management vulnerability in WPForms, LLC. WPForms User Registration allows Privilege Escalation.This issue affects WPForms User Registration: from n/a through 2.1.0. The WPForms User Registration plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.1.0. This is due to a missing capability check when adding a role option to a form. This makes it possible for authenticated attackers, with contributor-level access and above, to create a form that... • https://patchstack.com/database/vulnerability/wpforms-user-registration/wordpress-wpforms-user-registration-plugin-2-1-0-authenticated-privilege-escalation-vulnerability?_s_id=cve • CWE-269: Improper Privilege Management CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29820 – WordPress PDF Builder for WPForms plugin <= 1.2.88 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-29820
25 Mar 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RedNao PDF Builder for WPForms allows Stored XSS.This issue affects PDF Builder for WPForms: from n/a through 1.2.88. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('Cross-site Scripting') en RedNao PDF Builder para WPForms permite XSS almacenado. Este problema afecta a PDF Builder para WPForms: desde n/a hasta 1.2.88. The PDF Builder for WPForms plugin fo... • https://patchstack.com/database/vulnerability/pdf-builder-for-wpforms/wordpress-pdf-builder-for-wpforms-plugin-1-2-88-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 1%CPEs: 1EXPL: 0CVE-2023-7063 – WPForms Pro 1.8.4 - 1.8.5.3 - Unauthenticated Stored Cross-Site Scripting via Form Submission
https://notcve.org/view.php?id=CVE-2023-7063
19 Jan 2024 — The WPForms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form submission parameters in all versions up to, and including, 1.8.5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento WPForms Pro para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de parámetros de envío de formularios e... • https://wpforms.com/docs/how-to-view-recent-changes-to-the-wpforms-plugin-changelog/#1-8-5-4-2023-12-27 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3213 – WP Mail SMTP Pro <= 3.8.0 - Missing Authorization to Information Dislcosure via is_print_page
https://notcve.org/view.php?id=CVE-2023-3213
03 Oct 2023 — The WP Mail SMTP Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the is_print_page function in versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to disclose potentially sensitive email information. El complemento WP Mail SMTP Pro para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificación de capability en la función is_print_page en versiones hasta la 3.8.0 incluida. Es... • https://wpmailsmtp.com/docs/how-to-view-recent-changes-to-the-wp-mail-smtp-plugin-changelog • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-30500 – WordPress WPForms plugins - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2023-30500
20 Jun 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPForms WPForms Lite (wpforms-lite), WPForms WPForms Pro (wpforms) plugins <= 1.8.1.2 versions. The Contact Form by WPForms (Free and Premium) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.8.1.2 due to insufficient input sanitization and output escaping on debug data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can suc... • https://patchstack.com/database/vulnerability/wpforms-lite/wordpress-wpforms-lite-plugin-1-8-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2022-3574 – WPForms Pro < 1.7.7 - CSV Injection
https://notcve.org/view.php?id=CVE-2022-3574
19 Oct 2022 — The WPForms Pro WordPress plugin before 1.7.7 does not validate its form data when generating the exported CSV, which could lead to CSV injection. El complemento de WordPress WPForms Pro anterior a 1.7.7 no valida los datos de su formulario al generar el CSV exportado, lo que podría provocar una inyección de CSV. The WPForms Pro plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.7.6. This allows attackers to embed untrusted input into exported CSV files, which can result... • https://wpscan.com/vulnerability/0eae5189-81af-4344-9e96-dd1f4e223d41 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 5CVE-2020-10385 – Contact Form by WPForms <= 1.5.8.2 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-10385
18 Feb 2020 — A stored cross-site scripting (XSS) vulnerability exists in the WPForms Contact Form (aka wpforms-lite) plugin before 1.5.9 for WordPress. Hay una vulnerabilidad de tipo cross-site scripting (XSS) almacenado en el plugin WPForms Contact Form (también se conoce como wpforms-lite) versiones anteriores a la versión 1.5.9 para WordPress. WordPress WPForms plugin version 1.5.8.2 suffers from a persistent cross site scripting vulnerability. • https://packetstorm.news/files/id/156910 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2019-25145 – Contact Form & SMTP Plugin by PirateForms <= 2.5.1 - Unauthenticated HTML injection
https://notcve.org/view.php?id=CVE-2019-25145
27 Jul 2019 — The Contact Form & SMTP Plugin by PirateForms plugin for WordPress is vulnerable to HTML injection in the ‘public/class-pirateforms-public.php’ file in versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary HTML in emails that could be used to phish unsuspecting victims. • https://blog.nintechnet.com/html-injection-vulnerability-in-wordpress-pirate-forms-plugin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •