Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 17 known issues Latest disclosed Oct 19, 2025

Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) Vulnerabilities

Q: How many Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) vulnerabilities have patch guidance?

17 of 17 tracked Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) records include a published patch path.

Review known vulnerability records for the WordPress plugin Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) (`buddyforms`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-62973, CVE-2025-32151 and CVE-2024-12038, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Oct 29, 2025

Related Security Guides

Use these guides while reviewing Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) fixes

Pair this plugin vulnerability hub with practical WordPress hardening, scanner, and patch workflow guidance.

Hardening

WordPress hardening checklist for exposed plugins

Review patch cadence, privileged access, XML-RPC exposure, backups, and monitoring controls.

Plugin Security

WordPress plugin security basics for patch decisions

Use ownership, update testing, least privilege, and removal criteria to reduce plugin risk.

Scanning

WordPress vulnerability scanner buyer's guide

Compare scanner coverage for plugin CVEs, version detection, alert noise, and remediation workflow.

Patch Decision Workflow

How to prioritize Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) remediation

Use the hub as a decision layer before opening individual records: confirm whether the issue has a CVE, whether a fixed version exists, and whether the affected range overlaps production installs.

Search-Ready Records

1. Match the Package

Confirm the installed WordPress plugin slug is buddyforms before acting on any CVE from this cluster.

2. Sort by Severity

Start with 7 high or critical records, then review medium and unrated findings with public references.

3. Check Patch Evidence

17 records include a patch path; verify compatibility before closing the finding.

4. Monitor Gaps

0 records still lack a listed fixed release, so keep this hub in the review queue.

High-Signal Remediation Targets

CVE-2018-21003 Critical

SQL Injection remediation for Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Affected range: Versions up to 2.2.7. Fixed version: 2.2.8.

CVE-2024-32830 Critical

Server-Side Request Forgery remediation for Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Affected range: Versions up to 2.8.8. Fixed version: 2.8.9.

CVE-2025-32151 High

Local File Inclusion remediation for Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Affected range: Versions up to 2.8.17. Fixed version is not listed yet.

CVE-2024-8246 High

Privilege Escalation remediation for Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Affected range: Versions up to 2.8.11. Fixed version: 2.8.12.

Priority CVE Quick Links

Fast paths into Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

Tracked CVE	Issue Type	Affected Versions	Fixed Version	CVSS
CVE-2018-21003 Post, Registration and Profile Form Builder – FrontEnd Editor BuddyForms – Easy Word...	SQL Injection	Versions up to 2.2.7	2.2.8	CVSS 9.8
CVE-2024-32830 BuddyForms <= 2.8.8 - Unauthenticated Arbitrary File Read and Server-Side Request Fo...	Server-Side Request Forgery	Versions up to 2.8.8	2.8.9	CVSS 9.3
CVE-2025-32151 BuddyForms <= 2.8.17 - Authenticated (Contributor+) Local File Inclusion	Local File Inclusion	Versions up to 2.8.17	No patch listed	CVSS 8.8
CVE-2024-8246 Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Fo...	Privilege Escalation	Versions up to 2.8.11	2.8.12	CVSS 8.8
CVE-2023-26326 BuddyForms <= 2.7.7 - PHAR Deserialization	Vulnerability	Versions up to 2.7.7	2.7.8	CVSS 8.8
CVE-2024-1170 Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Fo...	Vulnerability	Versions up to 2.8.7	2.8.8	CVSS 8.2
CVE-2024-1169 Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Fo...	Vulnerability	Versions up to 2.8.7	2.8.8	CVSS 7.5
CVE-2024-5149 BuddyForms <= 2.8.9 - Email Verification Bypass due to Insufficient Randomness	Vulnerability	Versions up to 2.8.9	2.8.10	CVSS 6.5

CVE-2018-21003 Critical 2.2.8

CVE-2018-21003 Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) SQL Injection

Post, Registration and Profile Form Builder – FrontEnd Editor BuddyForms – Easy WordPress Forms <= 2.2.7 - SQL Injection

CVE-2024-32830 Critical 2.8.9

CVE-2024-32830 Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) Server-Side Request Forgery

BuddyForms <= 2.8.8 - Unauthenticated Arbitrary File Read and Server-Side Request Forgery

CVE-2025-32151 High No patch listed

CVE-2025-32151 Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) Local File Inclusion

BuddyForms <= 2.8.17 - Authenticated (Contributor+) Local File Inclusion

CVE-2024-8246 High 2.8.12

CVE-2024-8246 Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) Privilege Escalation

Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) <= 2.8.11 - Authenticated (Contributor+) Privilege Escalation

CVE-2023-26326 High 2.7.8

CVE-2023-26326 Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) Vulnerability

BuddyForms <= 2.7.7 - PHAR Deserialization

CVE-2024-1170 High 2.8.8

CVE-2024-1170 Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) Vulnerability

Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) <= 2.8.7 - Missing Authorization to Unauthenticated Media Deletion

CVE-2024-1169 High 2.8.8

CVE-2024-1169 Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) Vulnerability

Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) <= 2.8.7 - Missing Authorization to Unauthenticated Media Upload

CVE-2024-5149 Medium 2.8.10

CVE-2024-5149 Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) Vulnerability

BuddyForms <= 2.8.9 - Email Verification Bypass due to Insufficient Randomness

Coverage Snapshot

What this page helps you verify fast

This hub clusters tracked records for Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

17 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

2 critical and 5 high severity findings.

Recent CVEs

CVE-2025-62973, CVE-2025-32151 and CVE-2024-12038

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2025-62973 Medium No patch listed

CVE-2025-62973: BuddyForms <= 2.9.0 - Missing Authorization

The BuddyForms plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.9.0. This makes it possible for u...

Published

Oct 19, 2025

Patch Status

Not published

Review CVE-2025-62973 affected versions

CVE-2025-32151 High No patch listed

CVE-2025-32151: BuddyForms <= 2.8.17 - Authenticated (Contributor+) Local File Inclusion

The BuddyForms plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.8.17. This makes it possible for authenticated attackers, with contributor-level...

Published

Apr 04, 2025

Patch Status

Not published

Review CVE-2025-32151 affected versions

CVE-2024-12038 Medium Patch path listed

CVE-2024-12038: Frontend Content Forms for User Submissions (UGC) <= 2.8.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'buddyforms_nav' Shortcode

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t...

Published

Feb 21, 2025

Patch Status

2.8.16

Review CVE-2024-12038 affected versions

Known Vulnerabilities

Reports for Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: No CVE-2025-62973

CVE-2025-62973: BuddyForms <= 2.9.0 - Missing Authorization

The BuddyForms plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.9.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Published

Oct 19, 2025

Patched Release

Not published

Affected Versions

Versions up to 2.9.0

Next Step

Open the full report for remediation notes and references.

Review CVE-2025-62973 fixed version details Open CVE Reference

Plugin High Patched: No CVE-2025-32151

CVE-2025-32151: BuddyForms <= 2.8.17 - Authenticated (Contributor+) Local File Inclusion

The BuddyForms plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.8.17. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the exec...

Published

Apr 04, 2025

Patched Release

Not published

Affected Versions

Versions up to 2.8.17

Next Step

Open the full report for remediation notes and references.

Review CVE-2025-32151 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-12038

CVE-2024-12038: Frontend Content Forms for User Submissions (UGC) <= 2.8.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'buddyforms_nav' Shortcode

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'buddyforms_nav' shortcode in all versions up to, and including, 2.8.15 due to...

Published

Feb 21, 2025

Patched Release

2.8.16

Affected Versions

Versions up to 2.8.15

Next Step

Update to 2.8.16 or newer if supported.

Review CVE-2024-12038 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-12037

CVE-2024-12037: Frontend Content Forms for User Submissions (UGC) <= 2.8.13 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bf_new_submission_link' shortcode in all versions up to, and including, 2.8.1...

Published

Jan 30, 2025

Patched Release

2.8.14

Affected Versions

Versions up to 2.8.13

Next Step

Update to 2.8.14 or newer if supported.

Review CVE-2024-12037 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-47377

CVE-2024-47377: BuddyForms <= 2.8.12 - Authenticated (Editor+) Stored Cross-Site Scripting

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 2.8.12 due to insufficient input sanitizatio...

Published

Sep 30, 2024

Patched Release

2.8.13

Affected Versions

Versions up to 2.8.12

Next Step

Update to 2.8.13 or newer if supported.

Review CVE-2024-47377 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2024-8246

CVE-2024-8246: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) <= 2.8.11 - Authenticated (Contributor+) Privilege Escalation

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.8.11. This is due to plugin not properly restricting what user...

Published

Sep 13, 2024

Patched Release

2.8.12

Affected Versions

Versions up to 2.8.11

Next Step

Update to 2.8.12 or newer if supported.

Review CVE-2024-8246 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-5149

CVE-2024-5149: BuddyForms <= 2.8.9 - Email Verification Bypass due to Insufficient Randomness

The BuddyForms plugin for WordPress is vulnerable to Email Verification Bypass in all versions up to, and including, 2.8.9 via the use of an insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification.

Published

Jun 04, 2024

Patched Release

2.8.10

Affected Versions

Versions up to 2.8.9

Next Step

Update to 2.8.10 or newer if supported.

Review CVE-2024-5149 fixed version details Open CVE Reference

Plugin Critical Patched: Yes CVE-2024-32830

CVE-2024-32830: BuddyForms <= 2.8.8 - Unauthenticated Arbitrary File Read and Server-Side Request Forgery

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to Arbitrary File Read and Server-Side Request Forgery in all versions up to, and including, 2.8.8. This makes it possible for...

Published

Apr 22, 2024

Patched Release

2.8.9

Affected Versions

Versions up to 2.8.8

Next Step

Update to 2.8.9 or newer if supported.

Review CVE-2024-32830 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-30198

CVE-2024-30198: BuddyForms <= 2.8.5 - Reflected Cross-Site Scripting via page

The BuddyForms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in versions up to, and including, 2.8.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...

Published

Mar 25, 2024

Patched Release

2.8.6

Affected Versions

Versions up to 2.8.5

Next Step

Update to 2.8.6 or newer if supported.

Review CVE-2024-30198 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-1158

CVE-2024-1158: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) <= 2.8.7 - Missing Authorization

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buddyforms_new_page function in all versions up...

Published

Mar 06, 2024

Patched Release

2.8.8

Affected Versions

Versions up to 2.8.7

Next Step

Update to 2.8.8 or newer if supported.

Review CVE-2024-1158 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2024-1169

CVE-2024-1169: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) <= 2.8.7 - Missing Authorization to Unauthenticated Media Upload

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media upload due to a missing capability check on the buddyforms_upload_handle_dropped_media function in all v...

Published

Mar 06, 2024

Patched Release

2.8.8

Affected Versions

Versions up to 2.8.7

Next Step

Update to 2.8.8 or newer if supported.

Review CVE-2024-1169 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2024-1170

CVE-2024-1170: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) <= 2.8.7 - Missing Authorization to Unauthenticated Media Deletion

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the handle_deleted_media function in all versions up...

Published

Mar 06, 2024

Patched Release

2.8.8

Affected Versions

Versions up to 2.8.7

Next Step

Update to 2.8.8 or newer if supported.

Review CVE-2024-1170 fixed version details Open CVE Reference