What this page helps you verify fast
This hub clusters tracked records for Caldera Forms – More Than Contact Forms so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.
Review known vulnerability records for the WordPress plugin Caldera Forms – More Than Contact Forms (`caldera-forms`), including severity, CVE references, affected versions, and patch status.
Recent tracked CVEs on this page include CVE-2022-0879, CVE-2021-24896 and CVE-2018-7747, so operators can jump from disclosure to patch validation without scanning the full feed first.
Pair this plugin vulnerability hub with practical WordPress hardening, scanner, and patch workflow guidance.
Review patch cadence, privileged access, XML-RPC exposure, backups, and monitoring controls.
Use ownership, update testing, least privilege, and removal criteria to reduce plugin risk.
Compare scanner coverage for plugin CVEs, version detection, alert noise, and remediation workflow.
Use the hub as a decision layer before opening individual records: confirm whether the issue has a CVE, whether a fixed version exists, and whether the affected range overlaps production installs.
Affected range: Versions before 1.9.7. Fixed version: 1.9.7.
Affected range: Versions up to 1.5.9.1. Fixed version: 1.6.0.
Affected range: Versions before 1.9.5. Fixed version: 1.9.5.
Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.
| Tracked CVE | Issue Type | Affected Versions | Fixed Version | CVSS |
|---|---|---|---|---|
|
CVE-2022-0879
Caldera Forms <= 1.9.6 - Reflected Cross-Site Scripting via cf-api
|
Cross-Site Scripting | Versions before 1.9.7 | 1.9.7 | CVSS 6.1 |
|
CVE-2018-7747
Caldera Forms <= 1.5.9.1 - Cross Site Scripting
|
Cross-Site Scripting | Versions up to 1.5.9.1 | 1.6.0 | CVSS 5.5 |
|
CVE-2021-24896
Caldera forms <= 1.9.4 - Admin+ Stored Cross-Site Scripting
|
Stored Cross-Site Scripting | Versions before 1.9.5 | 1.9.5 | CVSS 4.8 |
Caldera Forms <= 1.9.6 - Reflected Cross-Site Scripting via cf-api
Caldera Forms <= 1.5.9.1 - Cross Site Scripting
Caldera forms <= 1.9.4 - Admin+ Stored Cross-Site Scripting
This hub clusters tracked records for Caldera Forms – More Than Contact Forms so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.
These recent records surface the CVE strings, patch cues, and direct report links most operators need first.
The Caldera Forms WordPress plugin before 1.9.7 does not validate and escape the cf-api parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting
The Caldera Forms WordPress plugin before 1.9.5 does not sanitise and escape the Form Name before outputting it in attributes, which could allow high privilege users to perform Cross-Site Sc...
Multiple cross-site scripting (XSS) vulnerabilities in the Caldera Forms plugin before 1.6.0-rc.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via vectors invo...
Sorted by latest disclosure date so newly published issues surface first.
The Caldera Forms WordPress plugin before 1.9.7 does not validate and escape the cf-api parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting
The Caldera Forms WordPress plugin before 1.9.5 does not sanitise and escape the Form Name before outputting it in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Multiple cross-site scripting (XSS) vulnerabilities in the Caldera Forms plugin before 1.6.0-rc.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a greeting message, (2) the email transaction log, or (3) an imported form.
The Caldera Forms plugin for WordPress is vulnerable to Cross-Site Scripting via the "edit" parameter in versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scr...
The Caldera Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSRF through the ‘create_form’ action in versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers t...
The Caldera Forms – More Than Contact Forms plugin for WordPress is vulnerable to Sensitive Information Disclosure due to missing capability checks on the browse_entries() function that makes it possible for low-level authenticated attackers to retrieve form entries in versions u...