Which HTML Forms – Simple WordPress Forms Plugin CVEs are tracked?

HTML Forms – Simple WordPress Forms Plugin tracked CVEs include CVE-2025-31080, CVE-2022-3689, CVE-2025-46236, CVE-2025-13861, and CVE-2024-56060.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 9 known issues Latest disclosed Dec 16, 2025

HTML Forms – Simple WordPress Forms Plugin Vulnerabilities

Q: How many HTML Forms – Simple WordPress Forms Plugin vulnerabilities have patch guidance?

9 of 9 tracked HTML Forms – Simple WordPress Forms Plugin records include a published patch path.

Review known vulnerability records for the WordPress plugin HTML Forms – Simple WordPress Forms Plugin (`html-forms`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-13861, CVE-2025-12125 and CVE-2025-46236, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Dec 17, 2025

Priority CVE Quick Links

Fast paths into HTML Forms – Simple WordPress Forms Plugin CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2025-31080 High 1.5.2

CVE-2025-31080 HTML Forms – Simple WordPress Forms Plugin Stored Cross-Site Scripting

HTML Forms <= 1.5.1 - Unauthenticated Stored Cross-Site Scripting

CVE-2022-3689 High 1.3.25

CVE-2022-3689 HTML Forms – Simple WordPress Forms Plugin SQL Injection

HTML Forms <= 1.3.24 - Authenticated (Administrator+) SQL Injection

CVE-2025-46236 Medium 1.5.3

CVE-2025-46236 HTML Forms – Simple WordPress Forms Plugin Stored Cross-Site Scripting

HTML Forms <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2025-13861 Medium 1.6.1

CVE-2025-13861 HTML Forms – Simple WordPress Forms Plugin File Upload

HTML Forms – Simple WordPress Forms Plugin <= 1.6.0 - Unauthenticated Stored Cross-Site Scripting

CVE-2024-56060 Medium 1.4.2

CVE-2024-56060 HTML Forms – Simple WordPress Forms Plugin Cross-Site Scripting

HTML Forms <= 1.4.1 - Reflected Cross-Site Scripting

CVE-2023-50836 Medium 1.3.30

CVE-2023-50836 HTML Forms – Simple WordPress Forms Plugin Stored Cross-Site Scripting

HTML Forms <= 1.3.28 - Authenticated (Administrator+) Cross-Site Scripting

CVE-2025-12125 Medium 1.5.6

CVE-2025-12125 HTML Forms – Simple WordPress Forms Plugin Stored Cross-Site Scripting

HTML Forms <= 1.5.5 - Authenticated (Admin+) Stored Cross-Site Scripting

CVE-2024-6243 Medium 1.3.33

CVE-2024-6243 HTML Forms – Simple WordPress Forms Plugin Stored Cross-Site Scripting

HTML Forms – Simple WordPress Forms <= 1.3.32 - Authenticated (Admin+) Stored Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for HTML Forms – Simple WordPress Forms Plugin so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

9 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

0 critical and 2 high severity findings.

Recent CVEs

CVE-2025-13861, CVE-2025-12125 and CVE-2025-46236

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2025-13861 Medium Patch path listed

CVE-2025-13861: HTML Forms – Simple WordPress Forms Plugin <= 1.6.0 - Unauthenticated Stored Cross-Site Scripting

The HTML Forms – Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient saniti...

Published

Dec 16, 2025

Patch Status

1.6.1

Open CVE-2025-13861 Report

CVE-2025-12125 Medium Patch path listed

CVE-2025-12125: HTML Forms <= 1.5.5 - Authenticated (Admin+) Stored Cross-Site Scripting

The HTML Forms – Simple WordPress Forms Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.5 due to insuffi...

Published

Nov 07, 2025

Patch Status

1.5.6

Open CVE-2025-12125 Report

CVE-2025-46236 Medium Patch path listed

CVE-2025-46236: HTML Forms <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The HTML Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This make...

Published

Apr 22, 2025

Patch Status

1.5.3

Open CVE-2025-46236 Report

Known Vulnerabilities

Reports for HTML Forms – Simple WordPress Forms Plugin

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2025-13861

CVE-2025-13861: HTML Forms – Simple WordPress Forms Plugin <= 1.6.0 - Unauthenticated Stored Cross-Site Scripting

The HTML Forms – Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it in the WordPress admi...

Published

Dec 16, 2025

Patched Release

1.6.1

Affected Versions

Versions up to 1.6.0

Next Step

Update to 1.6.1 or newer if supported.

Open CVE-2025-13861 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-12125

CVE-2025-12125: HTML Forms <= 1.5.5 - Authenticated (Admin+) Stored Cross-Site Scripting

The HTML Forms – Simple WordPress Forms Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated att...

Published

Nov 07, 2025

Patched Release

1.5.6

Affected Versions

Versions up to 1.5.5

Next Step

Update to 1.5.6 or newer if supported.

Open CVE-2025-12125 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-46236

CVE-2025-46236: HTML Forms <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The HTML Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inj...

Published

Apr 22, 2025

Patched Release

1.5.3

Affected Versions

Versions up to 1.5.2

Next Step

Update to 1.5.3 or newer if supported.

Open CVE-2025-46236 Report Open CVE Reference

Plugin High Patched: Yes CVE-2025-31080

CVE-2025-31080: HTML Forms <= 1.5.1 - Unauthenticated Stored Cross-Site Scripting

The HTML Forms – Simple WordPress Forms Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

Published

Apr 01, 2025

Patched Release

1.5.2

Affected Versions

Versions up to 1.5.1

Next Step

Update to 1.5.2 or newer if supported.

Open CVE-2025-31080 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-56060

CVE-2024-56060: HTML Forms <= 1.4.1 - Reflected Cross-Site Scripting

The HTML Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages th...

Published

Dec 18, 2024

Patched Release

1.4.2

Affected Versions

Versions up to 1.4.1

Next Step

Update to 1.4.2 or newer if supported.

Open CVE-2024-56060 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-6412

CVE-2024-6412: HTML Forms – Simple WordPress Forms Plugin <= 1.3.33 - Cross-Site Request Forgery

The HTML Forms – Simple WordPress Forms Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.33. This is due to missing or incorrect nonce validation on the process_bulk_action() function. This makes it possible for una...

Published

Jul 10, 2024

Patched Release

1.3.34

Affected Versions

Versions up to 1.3.33

Next Step

Update to 1.3.34 or newer if supported.

Open CVE-2024-6412 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-6243

CVE-2024-6243: HTML Forms – Simple WordPress Forms <= 1.3.32 - Authenticated (Admin+) Stored Cross-Site Scripting

The HTML Forms – Simple WordPress Forms Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated at...

Published

Jul 01, 2024

Patched Release

1.3.33

Affected Versions

Versions up to 1.3.32

Next Step

Update to 1.3.33 or newer if supported.

Open CVE-2024-6243 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-50836

CVE-2023-50836: HTML Forms <= 1.3.28 - Authenticated (Administrator+) Cross-Site Scripting

The HTML Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.28 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-leve...

Published

Dec 21, 2023

Patched Release

1.3.30

Affected Versions

Versions up to 1.3.28

Next Step

Update to 1.3.30 or newer if supported.

Open CVE-2023-50836 Report Open CVE Reference

Plugin High Patched: Yes CVE-2022-3689

CVE-2022-3689: HTML Forms <= 1.3.24 - Authenticated (Administrator+) SQL Injection

The HTML Forms plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.3.24 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attacke...

Published

Nov 07, 2022

Patched Release

1.3.25

Affected Versions

Versions up to 1.3.24

Next Step

Update to 1.3.25 or newer if supported.

Open CVE-2022-3689 Report Open CVE Reference