Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 16 known issues Latest disclosed Mar 23, 2026

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More Vulnerabilities

Q: How many WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More vulnerabilities have patch guidance?

16 of 16 tracked WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More records include a published patch path.

Review known vulnerability records for the WordPress plugin WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More (`wpforms-lite`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-25339, CVE-2026-32446 and CVE-2025-3794, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Apr 15, 2026

Priority CVE Quick Links

Fast paths into WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2024-11205 High 1.9.2.2

CVE-2024-11205 WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More Vulnerability

WPForms 1.8.4 - 1.9.2.1 - Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation

CVE-2024-13403 Medium 1.9.3.2

CVE-2024-13403 WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More Stored Cross-Site Scripting

WPForms Lite <= 1.9.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via fieldHTML Parameter

CVE-2020-10385 Medium 1.5.9

CVE-2020-10385 WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More Stored Cross-Site Scripting

Contact Form by WPForms <= 1.5.8.2 - Stored Cross-Site Scripting

CVE-2023-30500 Medium 1.8.1.3

CVE-2023-30500 WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More Cross-Site Scripting

Contact Form by WPForms (Free and Premium) <= 1.8.1.2 - Reflected Cross-Site Scripting

CVE-2025-3794 Medium 1.9.5.1

CVE-2025-3794 WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More Stored Cross-Site Scripting

WPForms Lite <= 1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'start_timestamp' Parameter

CVE-2026-25339 Medium 1.9.9.2

CVE-2026-25339 WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More Sensitive Information Exposure

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More <= 1.9.8.7 - Unauthenticated Sensitive Information Exposure

CVE-2024-3649 Medium 1.8.8.2

CVE-2024-3649 WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More Vulnerability

Contact Form by WPForms – Drag & Drop Form Builder for WordPress <= 1.8.7.2 - Unauthenticated Price Manipulation

CVE-2024-11223 Medium 1.9.2.3

CVE-2024-11223 WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More Stored Cross-Site Scripting

WPForms <= 1.9.2.2 - Authenticated (Admin+) Stored Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

16 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

0 critical and 3 high severity findings.

Recent CVEs

CVE-2026-25339, CVE-2026-32446 and CVE-2025-3794

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-25339 Medium Patch path listed

CVE-2026-25339: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More <= 1.9.8.7 - Unauthenticated Sensitive Information Exposure

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and...

Published

Mar 23, 2026

Patch Status

1.9.9.2

Open CVE-2026-25339 Report

CVE-2026-32446 Medium Patch path listed

CVE-2026-32446: Contact Form by WPForms <= 1.9.9.3 - Missing Authorization

The Contact Form by WPForms plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.9.9.3. This makes it...

Published

Mar 07, 2026

Patch Status

1.9.9.4

Open CVE-2026-32446 Report

CVE-2025-3794 Medium Patch path listed

CVE-2025-3794: WPForms Lite <= 1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'start_timestamp' Parameter

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the start_timestamp parame...

Published

May 09, 2025

Patch Status

1.9.5.1

Open CVE-2025-3794 Report

Known Vulnerabilities

Reports for WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-25339

CVE-2026-25339: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More <= 1.9.8.7 - Unauthenticated Sensitive Information Exposure

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.9.8.7. This makes it possible for unauthenticated attackers to extract sensit...

Published

Mar 23, 2026

Patched Release

1.9.9.2

Affected Versions

Versions up to 1.9.8.7

Next Step

Update to 1.9.9.2 or newer if supported.

Open CVE-2026-25339 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-32446

CVE-2026-32446: Contact Form by WPForms <= 1.9.9.3 - Missing Authorization

The Contact Form by WPForms plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.9.9.3. This makes it possible for authenticated attackers, with contributor-level access and above, to perform...

Published

Mar 07, 2026

Patched Release

1.9.9.4

Affected Versions

Versions up to 1.9.9.3

Next Step

Update to 1.9.9.4 or newer if supported.

Open CVE-2026-32446 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-3794

CVE-2025-3794: WPForms Lite <= 1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'start_timestamp' Parameter

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the start_timestamp parameter in all versions up to, and including, 1.9.5 due to insufficient input sanitization and...

Published

May 09, 2025

Patched Release

1.9.5.1

Affected Versions

Versions up to 1.9.5

Next Step

Update to 1.9.5.1 or newer if supported.

Open CVE-2025-3794 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-13403

CVE-2024-13403: WPForms Lite <= 1.9.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via fieldHTML Parameter

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘fieldHTML’ parameter in all versions up to, and including, 1.9.3.1 due to insufficient input sanitization and o...

Published

Feb 03, 2025

Patched Release

1.9.3.2

Affected Versions

Versions up to 1.9.3.1

Next Step

Update to 1.9.3.2 or newer if supported.

Open CVE-2024-13403 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-56276

CVE-2024-56276: Contact Form by WPForms <= 1.9.2.2 - Missing Authorization

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.9.2.2. This makes it possible for authen...

Published

Jan 03, 2025

Patched Release

1.9.2.3

Affected Versions

Versions up to 1.9.2.2

Next Step

Update to 1.9.2.3 or newer if supported.

Open CVE-2024-56276 Report Open CVE Reference

Plugin High Patched: Yes CVE-2024-11205

CVE-2024-11205: WPForms 1.8.4 - 1.9.2.1 - Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation

The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Su...

Published

Dec 09, 2024

Patched Release

1.9.2.2

Affected Versions

1.8.4 through 1.9.2.1

Next Step

Update to 1.9.2.2 or newer if supported.

Open CVE-2024-11205 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-11223

CVE-2024-11223: WPForms <= 1.9.2.2 - Authenticated (Admin+) Stored Cross-Site Scripting

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.9.2.2 due to insufficient input sanitization and output escap...

Published

Dec 05, 2024

Patched Release

1.9.2.3

Affected Versions

Versions up to 1.9.2.2

Next Step

Update to 1.9.2.3 or newer if supported.

Open CVE-2024-11223 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-10593

CVE-2024-10593: WPForms – Easy Form Builder for WordPress <= 1.9.1.6 - Cross-Site Request Forgery (CSRF) to Plugin's Log Deletion

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.1.6. This is due to missing or incorrect nonce validation on the process_admin_...

Published

Nov 12, 2024

Patched Release

1.9.2.1

Affected Versions

Versions up to 1.9.1.6

Next Step

Update to 1.9.2.1 or newer if supported.

Open CVE-2024-10593 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-7056

CVE-2024-7056: WPForms <= 1.9.1.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.9.1.5 due to insufficient input sanitization and output escap...

Published

Nov 04, 2024

Patched Release

1.9.1.6

Affected Versions

Versions up to 1.9.1.5

Next Step

Update to 1.9.1.6 or newer if supported.

Open CVE-2024-7056 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-3649

CVE-2024-3649: Contact Form by WPForms – Drag & Drop Form Builder for WordPress <= 1.8.7.2 - Unauthenticated Price Manipulation

The Contact Form by WPForms – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to price manipulation in versions up to, and including, 1.8.7.2. This is due to a lack of controls on several product parameters. This makes it possible for unauthenticated att...

Published

May 01, 2024

Patched Release

1.8.8.2

Affected Versions

Versions up to 1.8.7.2

Next Step

Update to 1.8.8.2 or newer if supported.

Open CVE-2024-3649 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-30500

CVE-2023-30500: Contact Form by WPForms (Free and Premium) <= 1.8.1.2 - Reflected Cross-Site Scripting

The Contact Form by WPForms (Free and Premium) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.8.1.2 due to insufficient input sanitization and output escaping on debug data. This makes it possible for unauthenticated attac...

Published

Jun 20, 2023

Patched Release

1.8.1.3

Affected Versions

Versions up to 1.8.1.2

Next Step

Update to 1.8.1.3 or newer if supported.

Open CVE-2023-30500 Report Open CVE Reference

Plugin Medium Patched: Yes

Contact Form by WPForms <= 1.7.5.3 - Authenticated (Administrator+) Arbitrary File Access via Path Traversal

The Contact Form by WPForms plugin for WordPress is vulnerable to Directory Traversal via email template paths in versions up to, and including, 1.7.5.3. This allows administrator-level attackers to read the contents of arbitrary files on the server, which can contain sensitive i...

Published

Sep 19, 2022

Patched Release

1.7.5.5

Affected Versions

Versions up to 1.7.5.3

Next Step

Update to 1.7.5.5 or newer if supported.

Open Full Report