Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-10-14
CVE-2025-10732 - Drag And Drop Form Builder For Wordpress Plugin
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.12.1. This is due to improper access control implementation on the '/wp-json/sureforms/v1/srfm-global-settings' REST API endpoint. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve sensitive information including API keys for Google reCAPTCHA, Cloudflare Turnstile, hCaptcha, admin email addresses, and security-related form settings.
PLUGIN
Drag And Drop Form Builder For Wordpress
CVE-2025-10732
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-6742 - Drag And Drop Form Builder For Wordpress Plugin
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of file_exists() in the delete_entry_files() function without restriction on the path provided. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is…
PLUGIN
Drag And Drop Form Builder For Wordpress
CVE-2025-6742
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-6691 - Drag And Drop Form Builder For Wordpress Plugin
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Drag And Drop Form Builder For Wordpress
CVE-2025-6691
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2024-12713 - Drag And Drop Form Builder For Wordpress Plugin
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.2 via the handle_export_form() function due to a missing capability check. This makes it possible for unauthenticated attackers to export data from password protected, private, or draft posts that they should not have access to.
PLUGIN
Drag And Drop Form Builder For Wordpress
CVE-2024-12713
Risk Score
Threat Entry
Updated 2025-01-23
CVE-2024-2108 - Drag And Drop Form Builder For Wordpress Plugin
The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an image title embedded into a form in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Drag And Drop Form Builder For Wordpress
CVE-2024-2108
Risk Score
Threat Entry
Updated 2025-01-23
CVE-2024-2113 - Drag And Drop Form Builder For Wordpress Plugin
The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.0. This is due to missing or incorrect nonce validation on the nf_download_all_subs AJAX action. This makes it possible for unauthenticated attackers to trigger an export of a form's submission to a publicly accessible location via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Drag And Drop Form Builder For Wordpress
CVE-2024-2113
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0685 - Drag And Drop Form Builder For Wordpress Plugin
The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Second Order SQL Injection via the email address value submitted through forms in all versions up to, and including, 3.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to inject SQL in their email address that will append additional into the already existing query when an administrator triggers a personal data export.
PLUGIN
Drag And Drop Form Builder For Wordpress
CVE-2024-0685
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24163 - Drag And Drop Form Builder For Wordpress Plugin
The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 and retrieve the client_secret key needed to establish the SendWP connection while also installing the SendWP plugin.
PLUGIN
Drag And Drop Form Builder For Wordpress
CVE-2021-24163
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24166 - Drag And Drop Form Builder For Wordpress Plugin
The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection.
PLUGIN
Drag And Drop Form Builder For Wordpress
CVE-2021-24166
Risk Score