Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-27
CVE-2026-42728 - Contact Form 7 Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Contact Form 7 ht-contactform allows Stored XSS.This issue affects HT Contact Form 7: from n/a through
PLUGIN
Contact Form 7
CVE-2026-42728
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-39707 - Contact Form 7 Plugin
Missing Authorization vulnerability in ZealousWeb Accept PayPal Payments using Contact Form 7 contact-form-7-paypal-extension allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept PayPal Payments using Contact Form 7: from n/a through
PLUGIN
Contact Form 7
CVE-2026-39707
Risk Score
Threat Entry
Updated 2026-04-29
CVE-2026-32527 - Contact Form 7 Plugin
Missing Authorization vulnerability in CRM Perks WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms cf7-insightly allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms: from n/a through
PLUGIN
Contact Form 7
CVE-2026-32527
Risk Score
Threat Entry
Updated 2026-04-29
CVE-2026-32496 - Contact Form 7 Plugin
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NYSL Spam Protect for Contact Form 7 wp-contact-form-7-spam-blocker allows Path Traversal.This issue affects Spam Protect for Contact Form 7: from n/a through
PLUGIN
Contact Form 7
CVE-2026-32496
Risk Score
Threat Entry
Updated 2026-04-28
CVE-2026-25430 - Contact Form 7 Plugin
Missing Authorization vulnerability in CRM Perks Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms cf7-mailchimp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through
PLUGIN
Contact Form 7
CVE-2026-25430
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-32460 - Contact Form 7 Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through
PLUGIN
Contact Form 7
CVE-2026-32460
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-24945 - Contact Form 7 Plugin
Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through
PLUGIN
Contact Form 7
CVE-2026-24945
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2025-14457 - Contact Form 7 Plugin
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated attackers to delete arbitrary uploaded files when the "Send attachments as links" setting is enabled.
PLUGIN
Contact Form 7
CVE-2025-14457
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-14842 - Contact Form 7 Plugin
The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This makes it possible for unauthenticated attackers to upload arbitrary .phar or .svg files containing malicious PHP or JavaScript code. Malicious PHP code can be used to achieve remote code execution on the server via direct file access, if the server is configured to execute…
PLUGIN
Contact Form 7
CVE-2025-14842
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2025-64231 - Contact Form 7 Plugin
Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue affects WordPress Contact Form 7 PDF, Google Sheet & Database: from n/a through
PLUGIN
Contact Form 7
CVE-2025-64231
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-7645 - Contact Form 7 Plugin
The Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete-file' field in all versions up to, and including, 3.2.8. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, when an administrator deletes the submission, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Contact Form 7
CVE-2025-7645
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-3247 - Contact Form 7 Plugin
The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.
PLUGIN
Contact Form 7
CVE-2025-3247
Risk Score
Threat Entry
Updated 2025-08-11
CVE-2024-12267 - Contact Form 7 Plugin
The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.8.5. This makes it possible for unauthenticated attackers to delete limited arbitrary files on the server. It is not possible to delete files like wp-config.php that would make RCE possible.
PLUGIN
Contact Form 7
CVE-2024-12267
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4704 - Contact Form 7 Plugin
The Contact Form 7 WordPress plugin before 5.9.5 has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their choosing.
PLUGIN
Contact Form 7
CVE-2024-4704
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-34826 - Contact Form 7 Plugin
Missing Authorization vulnerability in Tobias Conrad Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler.This issue affects Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler: from n/a through 1.6.4.
PLUGIN
Contact Form 7
CVE-2024-34826
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4870 - Contact Form 7 Plugin
The Frontend Registration – Contact Form 7 plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1 due to insufficient restriction on the '_cf7frr_' post meta. This makes it possible for authenticated attackers, with editor-level access and above, to modify the default user role in the registration form settings.
PLUGIN
Contact Form 7
CVE-2024-4870
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2024-3717 - Contact Form 7 Plugin
The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.7.7 via the '/wp-content/uploads/wp_dndcf7_uploads/wpcf7-files' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via this plugin through a form.
PLUGIN
Contact Form 7
CVE-2024-3717
Risk Score
Threat Entry
Updated 2025-01-17
CVE-2024-2242 - Contact Form 7 Plugin
The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter in all versions up to, and including, 5.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Contact Form 7
CVE-2024-2242
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6630 - Contact Form 7 Plugin
The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7_get_custom_field and CF7_get_current_user shortcodes due to missing validation on a user controlled key. This makes it possible for authenticated attackers with contributor access or higher to access arbitrary metadata of any post type, referencing the post by id and the meta by key.
PLUGIN
Contact Form 7
CVE-2023-6630
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6449 - Contact Form 7 Plugin
The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7_antiscript_file_name' function in versions up to, and including, 5.8.3. This makes it possible for authenticated attackers with editor-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed in most cases. By default, the file will be deleted from the server immediately. However, in some cases, other plugins may…
PLUGIN
Contact Form 7
CVE-2023-6449
Risk Score