VYPR

Caldera Forms

by WordPress

CVEs (3)

  • CVE-2022-0879MedApr 18, 2022
    risk 0.40cvss 6.1epss 0.01

    The Caldera Forms WordPress plugin before 1.9.7 does not validate and escape the cf-api parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting

  • CVE-2018-7747MedApr 20, 2018
    risk 0.35cvss 4.8epss 0.05

    Multiple cross-site scripting (XSS) vulnerabilities in the Caldera Forms plugin before 1.6.0-rc.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a greeting message, (2) the email transaction log, or (3) an imported form.

  • CVE-2021-24896MedDec 13, 2021
    risk 0.31cvss 4.8epss 0.01

    The Caldera Forms WordPress plugin before 1.9.5 does not sanitise and escape the Form Name before outputting it in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.