Contact Form
by WordPress
Source repositories
CVEs (21)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-35489 | Cri | 0.72 | 10.0 | 0.90 | Dec 17, 2020 | The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters. | ||
| CVE-2018-20979 | Cri | 0.64 | 9.8 | 0.02 | Aug 22, 2019 | The contact-form-7 plugin before 5.0.4 for WordPress has privilege escalation because of capability_type mishandling in register_post_type. | ||
| CVE-2019-11591 | Hig | 0.57 | 8.8 | 0.01 | Apr 29, 2019 | The WebDorado Contact Form plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action']… | ||
| CVE-2022-2903 | Hig | 0.47 | 7.2 | 0.01 | Sep 26, 2022 | The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog. | ||
| CVE-2025-30935 | Med | 0.42 | 6.5 | 0.00 | Jun 6, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NickDuncan Contact Form contact-form-ready allows DOM-Based XSS.This issue affects Contact Form: from n/a through <= 2.0.12. | ||
| CVE-2022-2116 | Med | 0.40 | 6.1 | 0.01 | Aug 15, 2022 | The Contact Form DB WordPress plugin before 1.8.0 does not sanitise and escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting | ||
| CVE-2023-6449 | Med | 0.36 | 6.6 | 0.02 | Dec 1, 2023 | The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7_antiscript_file_name' function in versions up to, and including, 5.8.3. This makes it… | ||
| CVE-2024-1779 | Med | 0.34 | 5.3 | 0.00 | Feb 23, 2024 | The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the zt_dcfcf_change_status() function in all versions up to, and including, 1.1.1. This makes it possible for… | ||
| CVE-2024-4704 | Med | 0.33 | 6.1 | 0.00 | Jun 27, 2024 | The Contact Form 7 WordPress plugin before 5.9.5 has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their choosing. | ||
| CVE-2024-2242 | Med | 0.33 | 6.1 | 0.01 | Mar 13, 2024 | The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter in all versions up to, and including, 5.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers… | ||
| CVE-2023-5530 | Med | 0.31 | 4.8 | 0.01 | Nov 6, 2023 | The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfiltered_html capability can perform this, and such users are… | ||
| CVE-2023-4109 | Med | 0.31 | 4.8 | 0.00 | Aug 30, 2023 | The Ninja Forms WordPress Ninja Forms Contact Form WordPress plugin before 3.6.26 was affected by a HTML Injection security vulnerability. | ||
| CVE-2021-25066 | Med | 0.31 | 4.8 | 0.01 | Jul 4, 2022 | The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||
| CVE-2021-25056 | Med | 0.31 | 4.8 | 0.01 | Jul 4, 2022 | The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||
| CVE-2022-1326 | Med | 0.31 | 4.8 | 0.01 | Jun 27, 2022 | The Form - Contact Form WordPress plugin through 1.2.0 does not sanitize and escape Custom text fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | ||
| CVE-2022-25601 | Med | 0.31 | 4.7 | 0.01 | Mar 11, 2022 | Reflected Cross-Site Scripting (XSS) vulnerability affecting parameter &tab discovered in Contact Form X WordPress plugin (versions <= 2.4). | ||
| CVE-2024-9926 | Med | 0.28 | 4.3 | 0.01 | Nov 7, 2024 | The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form | ||
| CVE-2022-1846 | Med | 0.28 | 4.3 | 0.00 | Jun 27, 2022 | The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | ||
| CVE-2025-3247 | Med | 0.27 | 5.3 | 0.00 | Apr 16, 2025 | The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to… | ||
| CVE-2012-10010 | Med | 0.21 | 4.3 | 0.00 | Apr 9, 2023 | A vulnerability was found in BestWebSoft Contact Form 3.21. It has been classified as problematic. This affects the function cntctfrm_settings_page of the file contact_form.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely.… |
- risk 0.72cvss 10.0epss 0.90
The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.
- risk 0.64cvss 9.8epss 0.02
The contact-form-7 plugin before 5.0.4 for WordPress has privilege escalation because of capability_type mishandling in register_post_type.
- risk 0.57cvss 8.8epss 0.01
The WebDorado Contact Form plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action']…
- risk 0.47cvss 7.2epss 0.01
The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
- risk 0.42cvss 6.5epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NickDuncan Contact Form contact-form-ready allows DOM-Based XSS.This issue affects Contact Form: from n/a through <= 2.0.12.
- risk 0.40cvss 6.1epss 0.01
The Contact Form DB WordPress plugin before 1.8.0 does not sanitise and escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting
- risk 0.36cvss 6.6epss 0.02
The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7_antiscript_file_name' function in versions up to, and including, 5.8.3. This makes it…
- risk 0.34cvss 5.3epss 0.00
The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the zt_dcfcf_change_status() function in all versions up to, and including, 1.1.1. This makes it possible for…
- risk 0.33cvss 6.1epss 0.00
The Contact Form 7 WordPress plugin before 5.9.5 has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their choosing.
- risk 0.33cvss 6.1epss 0.01
The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter in all versions up to, and including, 5.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers…
- risk 0.31cvss 4.8epss 0.01
The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfiltered_html capability can perform this, and such users are…
- risk 0.31cvss 4.8epss 0.00
The Ninja Forms WordPress Ninja Forms Contact Form WordPress plugin before 3.6.26 was affected by a HTML Injection security vulnerability.
- risk 0.31cvss 4.8epss 0.01
The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
- risk 0.31cvss 4.8epss 0.01
The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
- risk 0.31cvss 4.8epss 0.01
The Form - Contact Form WordPress plugin through 1.2.0 does not sanitize and escape Custom text fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
- risk 0.31cvss 4.7epss 0.01
Reflected Cross-Site Scripting (XSS) vulnerability affecting parameter &tab discovered in Contact Form X WordPress plugin (versions <= 2.4).
- risk 0.28cvss 4.3epss 0.01
The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form
- risk 0.28cvss 4.3epss 0.00
The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
- risk 0.27cvss 5.3epss 0.00
The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to…
- risk 0.21cvss 4.3epss 0.00
A vulnerability was found in BestWebSoft Contact Form 3.21. It has been classified as problematic. This affects the function cntctfrm_settings_page of the file contact_form.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely.…
Page 1 of 2