Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total18
Critical1
High3
Medium13
Reset
Showing 1-18 of 18 records
Threat Entry Updated 2026-02-03

CVE-2026-24945 - Contact Form 7 Plugin

Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through

PLUGIN Contact Form 7

CVE-2026-24945

MEDIUM CVSS 5.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-24559 - Contact Form 7 Plugin

Insertion of Sensitive Information Into Sent Data vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Retrieve Embedded Sensitive Data.This issue affects Integration for Contact Form 7 HubSpot: from n/a through

PLUGIN Contact Form 7

CVE-2026-24559

MEDIUM CVSS 5.4 2026-01-23
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-24557 - Contact Form 7 Plugin

Insertion of Sensitive Information Into Sent Data vulnerability in WEN Solutions Contact Form 7 GetResponse Extension contact-form-7-getresponse-extension allows Retrieve Embedded Sensitive Data.This issue affects Contact Form 7 GetResponse Extension: from n/a through

PLUGIN Contact Form 7

CVE-2026-24557

MEDIUM CVSS 5.3 2026-01-23
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2025-14457 - Contact Form 7 Plugin

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated attackers to delete arbitrary uploaded files when the "Send attachments as links" setting is enabled.

PLUGIN Contact Form 7

CVE-2025-14457

LOW CVSS 3.7 2026-01-15
Open Full Technical Breakdown
Threat Entry Updated 2026-01-08

CVE-2025-14842 - Contact Form 7 Plugin

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This makes it possible for unauthenticated attackers to upload arbitrary .phar or .svg files containing malicious PHP or JavaScript code. Malicious PHP code can be used to achieve remote code execution on the server via direct file access, if the server is configured to execute…

PLUGIN Contact Form 7

CVE-2025-14842

MEDIUM CVSS 6.1 2026-01-07
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-64231 - Contact Form 7 Plugin

Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue affects WordPress Contact Form 7 PDF, Google Sheet & Database: from n/a through

PLUGIN Contact Form 7

CVE-2025-64231

CRITICAL CVSS 9.8 2025-12-18
Open Full Technical Breakdown
Threat Entry Updated 2025-07-22

CVE-2025-7645 - Contact Form 7 Plugin

The Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete-file' field in all versions up to, and including, 3.2.8. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, when an administrator deletes the submission, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

PLUGIN Contact Form 7

CVE-2025-7645

HIGH CVSS 8.1 2025-07-22
Open Full Technical Breakdown
Threat Entry Updated 2025-07-08

CVE-2025-3247 - Contact Form 7 Plugin

The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.

PLUGIN Contact Form 7

CVE-2025-3247

MEDIUM CVSS 5.3 2025-04-16
Open Full Technical Breakdown
Threat Entry Updated 2025-08-11

CVE-2024-12267 - Contact Form 7 Plugin

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.8.5. This makes it possible for unauthenticated attackers to delete limited arbitrary files on the server. It is not possible to delete files like wp-config.php that would make RCE possible.

PLUGIN Contact Form 7

CVE-2024-12267

MEDIUM CVSS 5.3 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4704 - Contact Form 7 Plugin

The Contact Form 7 WordPress plugin before 5.9.5 has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their choosing.

PLUGIN Contact Form 7

CVE-2024-4704

MEDIUM CVSS 6.1 2024-06-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-34826 - Contact Form 7 Plugin

Missing Authorization vulnerability in Tobias Conrad Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler.This issue affects Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler: from n/a through 1.6.4.

PLUGIN Contact Form 7

CVE-2024-34826

MEDIUM CVSS 6.3 2024-06-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4870 - Contact Form 7 Plugin

The Frontend Registration – Contact Form 7 plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1 due to insufficient restriction on the '_cf7frr_' post meta. This makes it possible for authenticated attackers, with editor-level access and above, to modify the default user role in the registration form settings.

PLUGIN Contact Form 7

CVE-2024-4870

HIGH CVSS 7.2 2024-06-04
Open Full Technical Breakdown
Threat Entry Updated 2025-08-08

CVE-2024-3717 - Contact Form 7 Plugin

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.7.7 via the '/wp-content/uploads/wp_dndcf7_uploads/wpcf7-files' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via this plugin through a form.

PLUGIN Contact Form 7

CVE-2024-3717

MEDIUM CVSS 5.3 2024-05-02
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-2242 - Contact Form 7 Plugin

The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter in all versions up to, and including, 5.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Contact Form 7

CVE-2024-2242

MEDIUM CVSS 6.1 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6630 - Contact Form 7 Plugin

The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7_get_custom_field and CF7_get_current_user shortcodes due to missing validation on a user controlled key. This makes it possible for authenticated attackers with contributor access or higher to access arbitrary metadata of any post type, referencing the post by id and the meta by key.

PLUGIN Contact Form 7

CVE-2023-6630

MEDIUM CVSS 4.3 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6449 - Contact Form 7 Plugin

The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7_antiscript_file_name' function in versions up to, and including, 5.8.3. This makes it possible for authenticated attackers with editor-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed in most cases. By default, the file will be deleted from the server immediately. However, in some cases, other plugins may…

PLUGIN Contact Form 7

CVE-2023-6449

MEDIUM CVSS 6.6 2023-12-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24159 - Contact Form 7 Plugin

Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the Contact Form 7 Style WordPress plugin through 3.1.9. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript.

PLUGIN Contact Form 7

CVE-2021-24159

HIGH CVSS 8.8 2021-04-05
Open Full Technical Breakdown
Scroll to top