Database for Contact Form 7, WPforms, Elementor forms Vulnerabilities

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the entries_shortcode() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated...

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input in the 'download_csv' function. This makes it possible for unauthenticated attac...

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers...

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input in the get_lead_detail function. This makes it possible for unauthenticated atta...

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers...

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attrib...

The Contact Form Entries plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'view_page' function in versions up to, and including, 1.3.2. This makes it possible for authenticated attackers with administrator-level capabilities...

The Contact Form Entries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vx-entries' shortcode attributes in versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attack...

The Contact Form Entries plugin for WordPress is vulnerable to generic SQL Injection via the plugin's shortcode attributes in versions up to, and including, 1.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL qu...

The Contact Form Entries plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.2.9 when outputting to a CSV file. This allows low-level attackers to embed untrusted input contact forms that will be present in exported CSV files, which can result...

The Contact Form Entries WordPress plugin before 1.2.4 does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page

The Contact Form Entries – Contact Form 7, WPforms and more plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘start_date’ and ‘end_date’ parameters in versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This...