VYPR

Contact Form

by WordPress

Source repositories

CVEs (21)

  • CVE-2020-35489CriDec 17, 2020
    risk 0.72cvss 10.0epss 0.90

    The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.

  • CVE-2018-20979CriAug 22, 2019
    risk 0.64cvss 9.8epss 0.02

    The contact-form-7 plugin before 5.0.4 for WordPress has privilege escalation because of capability_type mishandling in register_post_type.

  • CVE-2019-11591HigApr 29, 2019
    risk 0.57cvss 8.8epss 0.01

    The WebDorado Contact Form plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action']…

  • CVE-2022-2903HigSep 26, 2022
    risk 0.47cvss 7.2epss 0.01

    The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.

  • CVE-2025-30935MedJun 6, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NickDuncan Contact Form contact-form-ready allows DOM-Based XSS.This issue affects Contact Form: from n/a through <= 2.0.12.

  • CVE-2022-2116MedAug 15, 2022
    risk 0.40cvss 6.1epss 0.01

    The Contact Form DB WordPress plugin before 1.8.0 does not sanitise and escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting

  • CVE-2023-6449MedDec 1, 2023
    risk 0.36cvss 6.6epss 0.02

    The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7_antiscript_file_name' function in versions up to, and including, 5.8.3. This makes it…

  • CVE-2024-1779MedFeb 23, 2024
    risk 0.34cvss 5.3epss 0.00

    The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the zt_dcfcf_change_status() function in all versions up to, and including, 1.1.1. This makes it possible for…

  • CVE-2024-4704MedJun 27, 2024
    risk 0.33cvss 6.1epss 0.00

    The Contact Form 7 WordPress plugin before 5.9.5 has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their choosing.

  • CVE-2024-2242MedMar 13, 2024
    risk 0.33cvss 6.1epss 0.01

    The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter in all versions up to, and including, 5.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers…

  • CVE-2023-5530MedNov 6, 2023
    risk 0.31cvss 4.8epss 0.01

    The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfiltered_html capability can perform this, and such users are…

  • CVE-2023-4109MedAug 30, 2023
    risk 0.31cvss 4.8epss 0.00

    The Ninja Forms WordPress Ninja Forms Contact Form WordPress plugin before 3.6.26 was affected by a HTML Injection security vulnerability.

  • CVE-2021-25066MedJul 4, 2022
    risk 0.31cvss 4.8epss 0.01

    The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

  • CVE-2021-25056MedJul 4, 2022
    risk 0.31cvss 4.8epss 0.01

    The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

  • CVE-2022-1326MedJun 27, 2022
    risk 0.31cvss 4.8epss 0.01

    The Form - Contact Form WordPress plugin through 1.2.0 does not sanitize and escape Custom text fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

  • CVE-2022-25601MedMar 11, 2022
    risk 0.31cvss 4.7epss 0.01

    Reflected Cross-Site Scripting (XSS) vulnerability affecting parameter &tab discovered in Contact Form X WordPress plugin (versions <= 2.4).

  • CVE-2024-9926MedNov 7, 2024
    risk 0.28cvss 4.3epss 0.01

    The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form

  • CVE-2022-1846MedJun 27, 2022
    risk 0.28cvss 4.3epss 0.00

    The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

  • CVE-2025-3247MedApr 16, 2025
    risk 0.27cvss 5.3epss 0.00

    The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to…

  • CVE-2012-10010MedApr 9, 2023
    risk 0.21cvss 4.3epss 0.00

    A vulnerability was found in BestWebSoft Contact Form 3.21. It has been classified as problematic. This affects the function cntctfrm_settings_page of the file contact_form.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely.…

Page 1 of 2