Threat Entry Updated 2025-02-19

CVE-2023-24410 - Contact Form Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Contact Form - WPManageNinja LLC Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms fluentform allows SQL Injection.This issue affects Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms: from n/a through 4.3.25.

PLUGIN Contact Form

CVE-2023-24410

CRITICAL CVSS 9.8 2023-10-31

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-2528 - Contact Form Plugin

The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.24. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Contact Form

CVE-2023-2528

MEDIUM CVSS 5.4 2023-05-17

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-02-11

CVE-2023-0546 - Contact Form Plugin

The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the form.

PLUGIN Contact Form

CVE-2023-0546

MEDIUM CVSS 5.4 2023-04-10

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24777 - Contact Form Plugin

The view submission functionality in the Hotscot Contact Form WordPress plugin before 1.3 makes a get request with the sub_id parameter which not sanitised, escaped or validated before inserting to a SQL statement, leading to an SQL injection.

PLUGIN Contact Form

CVE-2021-24777

HIGH CVSS 7.2 2022-03-07

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24689 - Contact Form Plugin

The Contact Forms - Drag & Drop Contact Form Builder WordPress plugin through 1.0.5 allows high privilege users to download arbitrary files from the web server via a path traversal attack

PLUGIN Contact Form

CVE-2021-24689

MEDIUM CVSS 4.9 2022-02-28

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24381 - Contact Form Plugin

The Ninja Forms Contact Form WordPress plugin before 3.5.8.2 does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PLUGIN Contact Form

CVE-2021-24381

MEDIUM CVSS 4.8 2021-10-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-34620 - contact_form Plugin

The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions

PLUGIN contact_form

CVE-2021-34620

HIGH CVSS 8.8 2021-07-07

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24276 - Contact Form Plugin

The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue

PLUGIN Contact Form

CVE-2021-24276

MEDIUM CVSS 6.1 2021-05-05

Risk Score

Open Full Technical Breakdown