SureForms – Contact Form, Payment Form & Other Custom Form Builder

Vulnerabilities 16Slug sureformsLatest version 2.8.2WordPress.org →

Minimum safe version

2.6.0

Update to 2.6.0 or later to address 16 fixable vulnerabilities

Latest available2.8.2
Medium 6.1
2025-09-23< 1.9.1

SureForms – Drag and Drop Form Builder for WordPress <= 1.9.0 - Authenticated (Admin+) Stored Cross-Site Scripting

EUVDWordfenceCVE
N/A
2026-02-13< 2.2.2

SureForms – Drag and Drop Form Builder for WordPress <= 2.2.1 - Unauthenticated Stripe Payment Amount Manipulation

Wordfence
N/A
2026-02-15< 2.2.2

SureForms <= 2.2.1 - Missing Authorization

Wordfence
N/A
2026-03-27< 2.6.0

SureForms <= 2.5.2 - Unauthenticated Payment Amount Validation Bypass via 'form_id'

WordfenceCVE
Medium 4.3
2025-09-20< 1.12.1

SureForms – Drag and Drop Form Builder for WordPress <= 1.12.0 - Missing Authorization to Authenticated (Contributor+) Form Creation

EUVDWordfenceCVE
Medium 5.8
2025-08-01< 1.7.2

SureForms <= 1.7.1 - Reflected Cross-Site Scripting

EUVDWordfenceCVE
High 7.5
2025-07-09< 1.7.4

SureForms – Drag and Drop Form Builder for WordPress <= 1.7.3 - Unauthenticated PHP Object Injection (PHAR) Triggered via Admin Submission Deletion

EUVDWordfenceCVE
High 8.1
2025-07-09< 1.7.4

SureForms – Drag and Drop Form Builder for WordPress <= 1.7.3 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Submission Deletion

EUVDWordfenceCVE
Medium 4.9
2025-04-30< 1.4.4

SureForms – Drag and Drop Form Builder for WordPress <= 1.4.3 - Missing Authorization to Authenticated (Contributor+) Settings Update

EUVDWordfenceCVE
Low 3.5
2025-05-02< 1.4.4

SureForms <= 1.4.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

EUVDWordfenceCVE
Low 3.5
2025-05-02< 1.4.4

SureForms <= 1.4.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

EUVDWordfenceCVE