Contact Form
by WordPress
Source repositories
CVEs (11)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-9926 | 0.02 | — | 0.23 | Nov 7, 2024 | The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form | |||
| CVE-2024-4704 | 0.00 | — | 0.01 | Jun 27, 2024 | The Contact Form 7 WordPress plugin before 5.9.5 has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their choosing. | |||
| CVE-2023-5530 | 0.00 | — | 0.02 | Nov 6, 2023 | The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfiltered_html capability can perform this, and such users are already allowed to use JS in posts/comments etc however the vendor acknowledged and fixed the issue | |||
| CVE-2023-4109 | 0.00 | — | 0.00 | Aug 30, 2023 | The Ninja Forms WordPress Ninja Forms Contact Form WordPress plugin before 3.6.26 was affected by a HTML Injection security vulnerability. | |||
| CVE-2022-2903 | 0.00 | — | 0.01 | Sep 26, 2022 | The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog. | |||
| CVE-2022-2116 | 0.00 | — | 0.00 | Aug 15, 2022 | The Contact Form DB WordPress plugin before 1.8.0 does not sanitise and escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting | |||
| CVE-2021-25066 | 0.00 | — | 0.00 | Jul 4, 2022 | The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||
| CVE-2021-25056 | 0.00 | — | 0.00 | Jul 4, 2022 | The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||
| CVE-2022-1846 | 0.00 | — | 0.00 | Jun 27, 2022 | The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||
| CVE-2022-1326 | 0.00 | — | 0.00 | Jun 27, 2022 | The Form - Contact Form WordPress plugin through 1.2.0 does not sanitize and escape Custom text fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||
| CVE-2019-11591 | 0.00 | — | 0.00 | Apr 29, 2019 | The WebDorado Contact Form plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized. |
- CVE-2024-9926Nov 7, 2024risk 0.02cvss —epss 0.23
The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form
- CVE-2024-4704Jun 27, 2024risk 0.00cvss —epss 0.01
The Contact Form 7 WordPress plugin before 5.9.5 has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their choosing.
- CVE-2023-5530Nov 6, 2023risk 0.00cvss —epss 0.02
The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfiltered_html capability can perform this, and such users are already allowed to use JS in posts/comments etc however the vendor acknowledged and fixed the issue
- CVE-2023-4109Aug 30, 2023risk 0.00cvss —epss 0.00
The Ninja Forms WordPress Ninja Forms Contact Form WordPress plugin before 3.6.26 was affected by a HTML Injection security vulnerability.
- CVE-2022-2903Sep 26, 2022risk 0.00cvss —epss 0.01
The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
- CVE-2022-2116Aug 15, 2022risk 0.00cvss —epss 0.00
The Contact Form DB WordPress plugin before 1.8.0 does not sanitise and escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting
- CVE-2021-25066Jul 4, 2022risk 0.00cvss —epss 0.00
The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
- CVE-2021-25056Jul 4, 2022risk 0.00cvss —epss 0.00
The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
- CVE-2022-1846Jun 27, 2022risk 0.00cvss —epss 0.00
The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
- CVE-2022-1326Jun 27, 2022risk 0.00cvss —epss 0.00
The Form - Contact Form WordPress plugin through 1.2.0 does not sanitize and escape Custom text fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
- CVE-2019-11591Apr 29, 2019risk 0.00cvss —epss 0.00
The WebDorado Contact Form plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized.