VYPR

Weforms

by WordPress

Source repositories

CVEs (7)

  • CVE-2020-22276CriNov 4, 2020
    risk 0.64cvss 9.8epss 0.03

    WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form's entry.

  • CVE-2024-0386HigMar 12, 2024
    risk 0.47cvss 7.2epss 0.01

    The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Referer' HTTP header in all versions up to, and including, 1.6.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject…

  • CVE-2023-50896MedDec 29, 2023
    risk 0.38cvss 5.9epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weForms weForms – Easy Drag & Drop Contact Form Builder For WordPress allows Stored XSS.This issue affects weForms – Easy Drag & Drop Contact Form Builder For WordPress:…

  • CVE-2026-2707MedMar 11, 2026
    risk 0.35cvss 6.4epss 0.00

    The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API entry submission endpoint in all versions up to, and including, 1.6.27. This is due to inconsistent input sanitization between the frontend AJAX handler and the REST API endpoint. When…

  • CVE-2025-69028MedDec 30, 2025
    risk 0.34cvss 5.3epss 0.00

    Missing Authorization vulnerability in BoldGrid weForms weforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects weForms: from n/a through <= 1.6.25.

  • CVE-2024-32512MedMay 17, 2024
    risk 0.34cvss 5.3epss 0.00

    Client-Side Enforcement of Server-Side Security vulnerability in weForms allows Removing Important Client Functionality.This issue affects weForms: from n/a through 1.6.20.

  • CVE-2022-2395MedAug 8, 2022
    risk 0.31cvss 4.8epss 0.00

    The weForms WordPress plugin before 1.6.14 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.