cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-12423,https://securityvulnerability.io/vulnerability/CVE-2024-12423,Reflected Cross-Site Scripting in Contact Form 7 Redirect & Thank You Page for WordPress,"The Contact Form 7 Redirect & Thank You Page plugin for WordPress presents a vulnerability that allows unauthenticated attackers to perform Reflected Cross-Site Scripting. This arises from inadequate input sanitization and output escaping in the 'post' parameter, vulnerable in all versions up to and including 1.0.7. If attackers manage to persuade users to interact with malicious links, they may successfully inject arbitrary web scripts that execute within the user's browser context, potentially compromising their session and gaining access to sensitive information.",Wordpress,Contact Form 7 Redirect & Thank You Page,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-15T09:25:54.881Z,0
CVE-2024-12587,https://securityvulnerability.io/vulnerability/CVE-2024-12587,Reflected Cross-Site Scripting in Contact Form Master Plugin for WordPress,"The Contact Form Master plugin for WordPress, up to version 1.0.7, is susceptible to a reflected cross-site scripting (XSS) vulnerability. This flaw arises due to the plugin's failure to properly sanitize and escape user-input parameters before rendering them on the web page. As a result, an attacker could craft a malicious URL that exploits this vulnerability, potentially targeting users, particularly those with high privileges like administrators. If such a user interacts with the manipulated URL, it can lead to the execution of arbitrary scripts in the context of their session, posing substantial security risks.",Wordpress,Contact Form Master,,,0.0004299999854993075,false,,false,false,true,true,false,false,2025-01-11T06:00:02.900Z,0
CVE-2024-12112,https://securityvulnerability.io/vulnerability/CVE-2024-12112,Stored Cross-Site Scripting in Easy Form Builder for WordPress,"The Easy Form Builder plugin for WordPress suffers from a stored cross-site scripting vulnerability due to inadequate input sanitization and output escaping. Attackers with Subscriber-level access or higher can exploit this flaw by injecting malicious scripts through the 'name' parameter of the 'add_form_Emsfb' AJAX action. This can lead to arbitrary web scripts executing on pages viewed by unsuspecting users, posing significant security risks. It is critical for users of the plugin to upgrade to the latest version or apply available patches to protect their sites from potential exploitation.",Wordpress,"Easy Form Builder – WordPress Plugin Form Builder: Contact Form, Survey Form, Payment Form, And Custom Form Builder",6.4,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-08T03:18:11.056Z,0
CVE-2024-12532,https://securityvulnerability.io/vulnerability/CVE-2024-12532,Sensitive Information Exposure in BWD Elementor Addons Plugin for WordPress,"The BWD Elementor Addons plugin for WordPress contains a vulnerability in widgets/bwdeb-content-switcher.php that allows authenticated attackers with Contributor-level access and above to gain access to sensitive information. This includes private, pending, and draft template data, which could lead to potential data leakage or exploitation of user information. It is recommended that users of affected versions upgrade to the latest release to mitigate this risk.",Wordpress,"Bwd Elementor Addons (2500+ Presets, Meet The Team, Lottie, Lord Icon, Masking, WooCommerce, Theme Builder, Products, Blogs, Cv, Contact Form 7 Styler, Header, Slider, Hero Section)",4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-07T11:11:11.537Z,0
CVE-2024-12419,https://securityvulnerability.io/vulnerability/CVE-2024-12419,Arbitrary Shortcode Execution in CF7 WOW Styler Plugin for WordPress,"The CF7 WOW Styler plugin for WordPress contains a vulnerability that permits arbitrary shortcode execution due to improper validation of input values. This flaw affects all versions up to and including 1.7.0, allowing unauthenticated attackers to execute potentially harmful shortcodes within the WordPress environment. Although version 1.7.0 addressed associated Reflected Cross-Site Scripting risks, the vulnerability related to arbitrary shortcode execution remains unmitigated, posing significant security risks to users.",Wordpress,Design For Contact Form 7 Style WordPress Plugin – Cf7 Wow Styler,6.5,MEDIUM,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-07T03:21:55.752Z,0
CVE-2024-12238,https://securityvulnerability.io/vulnerability/CVE-2024-12238,Arbitrary Shortcode Execution Vulnerability in Ninja Forms Plugin for WordPress,"The Ninja Forms plugin for WordPress presents a vulnerability that permits arbitrary shortcode execution across all versions up to 3.8.22. The flaw arises from inadequate input validation, enabling authenticated users, including those with Subscriber-level access, to execute unverified shortcodes. This loophole in the plugin can potentially be exploited to perform unauthorized actions on a WordPress site, compromising its security integrity and user data. Mitigation strategies should be promptly applied to safeguard against this vulnerability.",Wordpress,Ninja Forms – The Contact Form Builder That Grows With You,6.3,MEDIUM,0.0004400000034365803,false,,false,false,false,false,false,false,2024-12-29T05:22:53.627Z,0
CVE-2024-10862,https://securityvulnerability.io/vulnerability/CVE-2024-10862,SQL Injection Vulnerability in NEX-Forms Plugin for WordPress,"An SQL injection vulnerability has been discovered in the NEX-Forms - Ultimate Form Builder plugin for WordPress, affecting all versions up to and including 8.7.13. This vulnerability arises due to inadequate escaping mechanisms for user-supplied input in the 'search_params' parameter, coupled with insufficient safeguards in the existing SQL query structure. As a result, unauthorized attackers are able to inject additional SQL commands, potentially leading to the extraction of sensitive database information. Furthermore, the absence of proper nonce validation on the get_table_records AJAX action heightens the risk of CSRF exploits, allowing attackers to perform unauthorized actions without user consent.",Wordpress,Nex-forms – Ultimate Form Builder – Contact Forms And Much More,4.9,MEDIUM,0.0004900000058114529,false,,false,false,false,,false,false,2024-12-25T06:42:14.009Z,0
CVE-2024-12190,https://securityvulnerability.io/vulnerability/CVE-2024-12190,Data Exposure in Bit Form Contact Form Plugin for WordPress,"The Contact Form by Bit Form, including its Multi Step Form, Calculation Contact Form, Payment Contact Form, and Custom Contact Form builder, contains a security vulnerability that exposes sensitive data. Due to a lack of necessary capability checks on the 'bitform-form-entry-edit' endpoint, authenticated users with Subscriber-level access and higher can access form submissions made by other users. This flaw affects all versions of the plugin up to and including 2.17.3, potentially compromising user privacy and data security on WordPress sites utilizing these contact forms.",Wordpress,"Contact Form By Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form Builder",4.3,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-12-25T03:21:32.469Z,0
CVE-2024-10646,https://securityvulnerability.io/vulnerability/CVE-2024-10646,Stored Cross-Site Scripting Vulnerability in Contact Form Plugin,"The Contact Form Plugin by Fluent Forms for the Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is affected by a vulnerability that allows stored cross-site scripting. This issue arises from inadequate input sanitization and output escaping in the form's subject parameter. Unsanctioned attackers can exploit this vulnerability to inject arbitrary web scripts into pages, leading to the execution of these scripts whenever a user accesses an affected page. This poses a significant risk to the security and integrity of WordPress sites using this plugin.",Wordpress,"Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder",7.2,HIGH,0.0005200000014156103,false,,false,false,false,,false,false,2024-12-14T05:34:14.007Z,0
CVE-2024-11052,https://securityvulnerability.io/vulnerability/CVE-2024-11052,Ninja Forms Vulnerable to Stored Cross-Site Scripting,"The Ninja Forms plugin for WordPress is prone to a Stored Cross-Site Scripting vulnerability that arises from inadequate input sanitization and output escaping in the calculations parameter. This security flaw impacts all versions up to and including 3.8.19, allowing unauthenticated attackers to inject malicious web scripts. When users access pages that include the injected content, these scripts could execute, leading to potential unauthorized actions and data exposure. Website administrators should ensure they are using patched versions of the plugin and take proactive measures to secure their WordPress installations.",Wordpress,Ninja Forms – The Contact Form Builder That Grows With You,7.2,HIGH,0.0004600000102072954,false,,false,false,false,,false,false,2024-12-12T05:24:24.004Z,0
CVE-2024-12255,https://securityvulnerability.io/vulnerability/CVE-2024-12255,Unauthenticated Information Exposure Vulnerability Affects Stripe Payments in Contact Form 7 Plugin,"The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5 via the cf7sa-info.php file that returns phpinfo() data. This makes it possible for unauthenticated attackers to extract configuration information that can be leveraged in another attack.",Wordpress,Accept Stripe Payments Using Contact Form 7,5.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-12-12T05:24:22.258Z,0
CVE-2024-12341,https://securityvulnerability.io/vulnerability/CVE-2024-12341,Unauthorized Data Modification Vulnerability in Contact Form 7 Plugin,"The Custom Skins Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'cf7cs_action_callback' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the content of any post and create new skins.",Wordpress,Custom Skins Contact Form 7,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-12-12T03:23:04.555Z,0
CVE-2024-11205,https://securityvulnerability.io/vulnerability/CVE-2024-11205,Unauthorized Data Modification in WPForms Plugin for WordPress,"The WPForms plugin for WordPress presents a security vulnerability that arises from a missing capability check within the 'wpforms_is_admin_page' function. This flaw affects versions from 1.8.4 to 1.9.2.1 and allows authenticated attackers with Subscriber-level access or higher to execute unauthorized actions such as refunding payments and canceling subscriptions. The lack of proper validation opens the door for misused access privileges, making it essential for users to evaluate their installations for the specified versions and apply security measures.",Wordpress,"WPforms – Easy Form Builder For WordPress – Contact Forms, Payment Forms, Surveys, & More",8.5,HIGH,0.000699999975040555,false,,true,false,true,,false,false,2024-12-10T04:23:41.091Z,0
CVE-2024-12026,https://securityvulnerability.io/vulnerability/CVE-2024-12026,Unauthorized Modification of Data Vulnerability in Contact Form 7's Message Filter Plugin,"The Message Filter for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveFilter() function in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new filters.",Wordpress,Message Filter For Contact Form 7,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-12-07T02:15:00.000Z,0
CVE-2024-12165,https://securityvulnerability.io/vulnerability/CVE-2024-12165,Reflected Cross-Site Scripting Vulnerability in Contact Form 7 Plugin,"The Mollie for Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 5.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",Wordpress,Mollie For Contact Form 7,6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,,false,false,2024-12-07T02:15:00.000Z,0
CVE-2024-12027,https://securityvulnerability.io/vulnerability/CVE-2024-12027,Unauthorized Modification of Data in Contact Form 7's Message Filter,"The Message Filter for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateFilter() and deleteFilter() functions in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to update and delete filters.",Wordpress,Message Filter For Contact Form 7,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-12-06T08:24:52.558Z,0
CVE-2024-10056,https://securityvulnerability.io/vulnerability/CVE-2024-10056,Stored Cross-Site Scripting Vulnerability in Contact Form Builder,"The Contact Form Builder by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's livesite-pay shortcode in all versions up to, and including, 4.10.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Contact Form Builder By Vcita,6.4,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-12-05T09:23:06.958Z,0
CVE-2024-10587,https://securityvulnerability.io/vulnerability/CVE-2024-10587,Funnelforms Free Plugin Vulnerable to PHP Object Injection,"The Funnelforms Free plugin for WordPress is susceptible to PHP Object Injection due to improper deserialization of untrusted input. This vulnerability impacts all versions up to and including 3.7.4.1 and allows authenticated attackers with Contributor-level access or higher to inject PHP Objects. Without a known PHP Object Pollution (POP) chain in the vulnerable plugin itself, attackers could exploit this vulnerability if additional plugins or themes are present on the target site. Successful exploitation may lead to potential risks such as arbitrary file deletion, sensitive data retrieval, or remote code execution.",Wordpress,Interactive Contact Form And Multi Step Form Builder With Drag & Drop Editor – Funnelforms Free,8.8,HIGH,0.0005000000237487257,false,,false,false,false,,false,false,2024-12-04T02:40:25.489Z,0
CVE-2024-10521,https://securityvulnerability.io/vulnerability/CVE-2024-10521,Cross-Site Request Forgery Vulnerability in WordPress Contact Forms Plugin,"The WordPress Contact Forms by Cimatti plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.2. This is due to missing or incorrect nonce validation on the process_bulk_action function. This makes it possible for unauthenticated attackers to delete forms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",Wordpress,WordPress Contact Forms By Cimatti,4.3,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,2024-11-27T11:03:33.991Z,0
CVE-2024-10898,https://securityvulnerability.io/vulnerability/CVE-2024-10898,Arbitrary PHP Code Execution Vulnerability in Contact Form 7 Email Add-on,"The Contact Form 7 Email Add On plugin for WordPress is susceptible to a Local File Inclusion vulnerability through the function cf7_email_add_on_add_admin_template(). This vulnerability impacts all versions up to and including version 1.9, allowing authenticated users with Contributor-level access or higher to include and execute arbitrary PHP files residing on the server. Exploitation of this vulnerability could lead to unauthorized code execution, data exfiltration, and bypassing of access controls, particularly in scenarios when PHP files can be uploaded and included by the attacker.",Wordpress,Contact Form 7 Email Add On,8.8,HIGH,0.0005000000237487257,false,,false,false,false,,false,false,2024-11-21T02:06:46.137Z,0
CVE-2024-11038,https://securityvulnerability.io/vulnerability/CVE-2024-11038,Unauthenticated Arbitrary Shortcode Execution Vulnerability in CF7 Popup plugin,"The WPB Popup for Contact Form 7 plugin for WordPress is susceptible to a vulnerability allowing unauthenticated attackers to execute arbitrary shortcodes. This is primarily due to inadequate validation of user inputs in the wpb_pcf_fire_contact_form AJAX action, present in all versions up to and including 1.7.5. Successful exploitation of this vulnerability could enable attackers to manipulate the Wordpress site by executing harmful shortcodes, thereby compromising its integrity and security.",Wordpress,WPb Popup For Contact Form 7 – Showing The Contact Form 7 Popup On Button Click – Cf7 Popup,7.3,HIGH,0.0005200000014156103,false,,false,false,false,,false,false,2024-11-19T11:02:28.827Z,0
CVE-2024-10884,https://securityvulnerability.io/vulnerability/CVE-2024-10884,Reflected Cross-Site Scripting Vulnerability in SimpleForm Contact Form Submissions Plugin,"The SimpleForm Contact Form Submissions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",Wordpress,Simpleform Contact Form Submissions,6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,,false,false,2024-11-16T03:20:40.950Z,0
CVE-2024-10883,https://securityvulnerability.io/vulnerability/CVE-2024-10883,Unauthenticated Attackers Can Inject Arbitrary Web Scripts through Cross-Site Scripting Vulnerability in SimpleForm,"The SimpleForm – Contact form made simple plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",Wordpress,Simpleform – Contact Form Made Simple,6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,,false,false,2024-11-16T03:20:40.270Z,0
CVE-2024-10861,https://securityvulnerability.io/vulnerability/CVE-2024-10861,Unauthorized Data Modification Vulnerability in The Popup Box Plugin,"The Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress has a design flaw that results in unauthorized modification of critical plugin settings. The vulnerability arises from a lack of proper capability checks in the deactivate_plugin_option() function. As a result, attackers who do not possess authentication can exploit this flaw to manipulate the 'ays_pb_upgrade_plugin' option, potentially leading to arbitrary changes in the plugin's configuration and behavior across all versions up to and including 4.9.7.",Wordpress,"Popup Box – Create Countdown, Coupon, Video, Contact Form Popups",5.3,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,2024-11-16T03:15:00.000Z,0
CVE-2024-10260,https://securityvulnerability.io/vulnerability/CVE-2024-10260,Stored Cross-Site Scripting Vulnerability in Tripetto WordPress Plugin,"The Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 8.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the file.",Wordpress,"WordPress Form Builder Plugin For Contact Forms, Surveys And Quizzes – Tripetto",6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,,false,false,2024-11-15T05:30:56.350Z,0