Contact Form Entries
by WordPress
Source repositories
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-3604 | Hig | 0.51 | 7.8 | 0.00 | Jan 16, 2024 | The Contact Form Entries WordPress plugin before 1.3.0 does not validate data when its output in a CSV file, which could lead to CSV injection. | ||
| CVE-2024-3715 | Hig | 0.47 | 7.2 | 0.01 | May 2, 2024 | The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated… | ||
| CVE-2023-33311 | Med | 0.42 | 6.5 | 0.00 | May 28, 2023 | Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in CRM Perks Contact Form Entries plugin <= 1.3.0 versions. | ||
| CVE-2024-1069 | Hig | 0.40 | 7.2 | 0.01 | Jan 31, 2024 | The Contact Form Entries plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'view_page' function in versions up to, and including, 1.3.2. This makes it possible for authenticated attackers with administrator-level capabilities… | ||
| CVE-2021-25079 | Med | 0.40 | 6.1 | 0.07 | Jan 24, 2022 | The Contact Form Entries WordPress plugin before 1.2.4 does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page | ||
| CVE-2021-25080 | Med | 0.39 | 6.1 | 0.84 | Jan 24, 2022 | The Contact Form Entries WordPress plugin before 1.1.7 does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing… | ||
| CVE-2024-2030 | Med | 0.35 | 6.4 | 0.01 | Mar 13, 2024 | The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied… | ||
| CVE-2026-0825 | Med | 0.34 | 5.3 | 0.00 | Jan 28, 2026 | The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers… | ||
| CVE-2026-9843 | 0.00 | — | 0.01 | Jun 20, 2026 | The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the view_page function in all versions up to, and including, 1.5.1. This makes it possible for unauthenticated… |
- risk 0.51cvss 7.8epss 0.00
The Contact Form Entries WordPress plugin before 1.3.0 does not validate data when its output in a CSV file, which could lead to CSV injection.
- risk 0.47cvss 7.2epss 0.01
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated…
- risk 0.42cvss 6.5epss 0.00
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in CRM Perks Contact Form Entries plugin <= 1.3.0 versions.
- risk 0.40cvss 7.2epss 0.01
The Contact Form Entries plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'view_page' function in versions up to, and including, 1.3.2. This makes it possible for authenticated attackers with administrator-level capabilities…
- risk 0.40cvss 6.1epss 0.07
The Contact Form Entries WordPress plugin before 1.2.4 does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page
- risk 0.39cvss 6.1epss 0.84
The Contact Form Entries WordPress plugin before 1.1.7 does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing…
- risk 0.35cvss 6.4epss 0.01
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied…
- risk 0.34cvss 5.3epss 0.00
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers…
- CVE-2026-9843Jun 20, 2026risk 0.00cvss —epss 0.01
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the view_page function in all versions up to, and including, 1.5.1. This makes it possible for unauthenticated…