VYPR

Wpforms

by WordPress

Source repositories

CVEs (11)

  • CVE-2022-3574CriNov 14, 2022
    risk 0.64cvss 9.8epss 0.01

    The WPForms Pro WordPress plugin before 1.7.7 does not validate its form data when generating the exported CSV, which could lead to CSV injection.

  • CVE-2024-11205HigDec 10, 2024
    risk 0.48cvss 8.5epss 0.01

    The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with…

  • CVE-2020-10385MedMar 24, 2020
    risk 0.38cvss 5.4epss 0.04

    A stored cross-site scripting (XSS) vulnerability exists in the WPForms Contact Form (aka wpforms-lite) plugin before 1.5.9 for WordPress.

  • CVE-2025-3794MedMay 9, 2025
    risk 0.35cvss 5.4epss 0.00

    The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the start_timestamp parameter in all versions up to, and including, 1.9.5 due to insufficient input…

  • CVE-2024-13403MedFeb 4, 2025
    risk 0.35cvss 6.4epss 0.00

    The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘fieldHTML’ parameter in all versions up to, and including, 1.9.3.1 due to insufficient input…

  • CVE-2026-4986MedJun 9, 2026
    risk 0.34cvss 5.3epss 0.00

    The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions.

  • CVE-2024-11223MedDec 26, 2024
    risk 0.31cvss 4.7epss 0.00

    The WPForms WordPress plugin before 1.9.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite…

  • CVE-2024-3649MedMay 2, 2024
    risk 0.28cvss 5.3epss 0.01

    The Contact Form by WPForms – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to price manipulation in versions up to, and including, 1.8.7.2. This is due to a lack of controls on several product parameters. This makes it possible for unauthenticated…

  • CVE-2026-7792MedJun 6, 2026
    risk 0.27cvss 5.3epss 0.00

    The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint…

  • CVE-2024-7056LowNov 25, 2024
    risk 0.23cvss 3.5epss 0.00

    The WPForms WordPress plugin before 1.9.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite…

  • CVE-2020-36919Jan 13, 2026
    risk 0.00cvss epss 0.00

    WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser.