Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total4
Critical0
High1
Medium3
Reset
Showing 1-4 of 4 records
Threat Entry Updated 2026-03-11

CVE-2026-2707 - Weforms Plugin

The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API entry submission endpoint in all versions up to, and including, 1.6.27. This is due to inconsistent input sanitization between the frontend AJAX handler and the REST API endpoint. When entries are submitted via the REST API (`/wp-json/weforms/v1/forms/{id}/entries/`), the `prepare_entry()` method in `class-abstract-fields.php` receives the WP_REST_Request object as `$args`, bypassing the `weforms_clean()` fallback that sanitizes `$_POST` data for frontend submissions. The base field handler only applies `trim()` to the value. This makes it possible for authenticated…

PLUGIN Weforms

CVE-2026-2707

MEDIUM CVSS 6.4 2026-03-11
Open Full Technical Breakdown
Threat Entry Updated 2025-01-15

CVE-2024-0386 - Weforms Plugin

The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Referer' HTTP header in all versions up to, and including, 1.6.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Weforms

CVE-2024-0386

HIGH CVSS 7.2 2024-03-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-50896 - Weforms Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weForms weForms – Easy Drag & Drop Contact Form Builder For WordPress allows Stored XSS.This issue affects weForms – Easy Drag & Drop Contact Form Builder For WordPress: from n/a through 1.6.17.

PLUGIN Weforms

CVE-2023-50896

MEDIUM CVSS 5.9 2023-12-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2395 - Weforms Plugin

The weForms WordPress plugin before 1.6.14 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PLUGIN Weforms

CVE-2022-2395

MEDIUM CVSS 4.8 2022-08-08
Open Full Technical Breakdown
Scroll to top