VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 10 known issues Latest disclosed Mar 20, 2026

Contact Form, Survey, Quiz & Popup Form Builder – ARForms Vulnerabilities

Review known vulnerability records for the WordPress plugin Contact Form, Survey, Quiz & Popup Form Builder – ARForms (`arforms-form-builder`), including severity, CVE references, affected versions, and patch status.

View on WordPress.org Back to Feed
Known Records
10
High or Critical
4
Linked CVEs
10
Last Updated
Mar 20, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Contact Form, Survey, Quiz & Popup Form Builder – ARForms so operators can quickly confirm whether a disclosed issue maps to the installed slug and version range.

Patch Visibility
10 records include a published patch path.
Severity Mix
0 critical and 4 high severity findings.
Reference Workflow
Jump from the hub into the full report when you need remediation notes, CVSS vector details, or source references.
Known Vulnerabilities

Reports for Contact Form, Survey, Quiz & Popup Form Builder – ARForms

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: No CVE-2024-13785
Contact Form, Survey, Quiz & Popup Form Builder – ARForms <= 1.7.2 - Unauthenticated Blind Arbitrary Shortcode Execution

The The Contact Form, Survey, Quiz & Popup Form Builder – ARForms plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.2. This is due to the software allowing users to execute an action that does not properly validate a val...

Published
Mar 20, 2026
Patched Release
Not published
Affected Versions
Versions up to 1.7.2
Next Step
Open the full report for remediation notes and references.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-10504
Contact Form, Survey, Quiz & Popup Form Builder – ARForms <= 1.7.0 - Unauthenticated Stored Cross-Site Scripting

The Contact Form, Survey, Quiz & Popup Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to in...

Published
Jan 06, 2025
Patched Release
1.7.1
Affected Versions
Versions up to 1.7.0
Next Step
Update to 1.7.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-54223
ARForms Form Builder <= 1.7.1 - HTML Injection

The Contact Form, Survey, Quiz & Popup Form Builder – ARForms plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 1.7.1. This is due to the plugin not properly sanitizing and escaping data. This makes it possible for unauthenticated attacker...

Published
Dec 05, 2024
Patched Release
1.7.2
Affected Versions
Versions up to 1.7.1
Next Step
Update to 1.7.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-37920
ARForms Form Builder <= 1.6.7 - Reflected Cross-Site Scripting

The ARForms Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.6.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts i...

Published
Jul 09, 2024
Patched Release
1.6.8
Affected Versions
Versions up to 1.6.7
Next Step
Update to 1.6.8 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-1945
ARForms Form Builder <= 1.6.4 - Missing Authorization to Authenticated(Subscriber+) Arbitrary Option Deletion

The Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'arflite_remove_preview_data' function in all versions up to, and including, 1.6.4. This make...

Published
Apr 25, 2024
Patched Release
1.6.5
Affected Versions
Versions up to 1.6.4
Next Step
Update to 1.6.5 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-31270
ARForms Form Builder <= 1.6.1 - Missing Authorization

The ARForms Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.6.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an un...

Published
Apr 05, 2024
Patched Release
1.6.2
Affected Versions
Versions up to 1.6.1
Next Step
Update to 1.6.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-31272
ARForms Form Builder <= 1.6.1 - Cross-Site Request Forgery

The ARForms Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized a...

Published
Apr 05, 2024
Patched Release
1.6.2
Affected Versions
Versions up to 1.6.1
Next Step
Update to 1.6.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2023-6828
ARForms <= 1.5.8 - Unauthenticated Stored Cross-Site Scripting via arf_http_referrer_url

The Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ arf_http_referrer_url’ parameter in all versions up to, and including, 1.5.8 due to insufficient input sanitization and ou...

Published
Jan 03, 2024
Patched Release
1.5.9
Affected Versions
Versions up to 1.5.8
Next Step
Update to 1.5.9 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2022-45838
ARForms Form Builder <= 1.5.6 - Unauthenticated Cross-Site Scripting

The ARForms Form Builder plugin for WordPress is vulnerable to Cross-Site Scripting via an unspecified parameter in versions up to, and including, 1.5.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbi...

Published
Nov 23, 2022
Patched Release
1.5.7
Affected Versions
Versions up to 1.5.6
Next Step
Update to 1.5.7 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2021-24718
Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder < 1.5 - Cross-Site Scripting

The Contact Form, Survey & Popup Form Plugin for WordPress plugin before 1.5 does not properly sanitize some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Published
Nov 02, 2021
Patched Release
1.5
Affected Versions
Versions before 1.5
Next Step
Update to 1.5 or newer if supported.
Open Full Report Open CVE Reference