Weforms
by WordPress
Source repositories
CVEs (7)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-22276 | Cri | 0.64 | 9.8 | 0.03 | Nov 4, 2020 | WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form's entry. | ||
| CVE-2024-0386 | Hig | 0.47 | 7.2 | 0.01 | Mar 12, 2024 | The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Referer' HTTP header in all versions up to, and including, 1.6.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject… | ||
| CVE-2023-50896 | Med | 0.38 | 5.9 | 0.00 | Dec 29, 2023 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weForms weForms – Easy Drag & Drop Contact Form Builder For WordPress allows Stored XSS.This issue affects weForms – Easy Drag & Drop Contact Form Builder For WordPress:… | ||
| CVE-2026-2707 | Med | 0.35 | 6.4 | 0.00 | Mar 11, 2026 | The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API entry submission endpoint in all versions up to, and including, 1.6.27. This is due to inconsistent input sanitization between the frontend AJAX handler and the REST API endpoint. When… | ||
| CVE-2025-69028 | Med | 0.34 | 5.3 | 0.00 | Dec 30, 2025 | Missing Authorization vulnerability in BoldGrid weForms weforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects weForms: from n/a through <= 1.6.25. | ||
| CVE-2024-32512 | Med | 0.34 | 5.3 | 0.00 | May 17, 2024 | Client-Side Enforcement of Server-Side Security vulnerability in weForms allows Removing Important Client Functionality.This issue affects weForms: from n/a through 1.6.20. | ||
| CVE-2022-2395 | Med | 0.31 | 4.8 | 0.00 | Aug 8, 2022 | The weForms WordPress plugin before 1.6.14 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. |
- risk 0.64cvss 9.8epss 0.03
WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form's entry.
- risk 0.47cvss 7.2epss 0.01
The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Referer' HTTP header in all versions up to, and including, 1.6.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject…
- risk 0.38cvss 5.9epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weForms weForms – Easy Drag & Drop Contact Form Builder For WordPress allows Stored XSS.This issue affects weForms – Easy Drag & Drop Contact Form Builder For WordPress:…
- risk 0.35cvss 6.4epss 0.00
The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API entry submission endpoint in all versions up to, and including, 1.6.27. This is due to inconsistent input sanitization between the frontend AJAX handler and the REST API endpoint. When…
- risk 0.34cvss 5.3epss 0.00
Missing Authorization vulnerability in BoldGrid weForms weforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects weForms: from n/a through <= 1.6.25.
- risk 0.34cvss 5.3epss 0.00
Client-Side Enforcement of Server-Side Security vulnerability in weForms allows Removing Important Client Functionality.This issue affects weForms: from n/a through 1.6.20.
- risk 0.31cvss 4.8epss 0.00
The weForms WordPress plugin before 1.6.14 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.