High 8.1
2026-04-15< 1.10.0.3
CVE-2026-40764
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More
Minimum safe version
1.10.0.3
Update to 1.10.0.3 or later to address 24 fixable vulnerabilities
Latest available1.10.0.4 ✓Affected up to1.9.2.1 ⚠
Medium 6.5
2026-03-25< 1.9.9.2
CVE-2026-25339
Medium 4.3
2026-03-13< 1.9.9.4
CVE-2026-32446
Medium 6.1
2026-01-13= 1.7.8
CVE-2020-36919
Medium 5.4
2025-05-09< 1.9.5.1
WPForms Lite <= 1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'start_timestamp' Parameter
Medium 6.4
2025-02-04< 1.9.3.2
CVE-2024-13403
Medium 4.3
2025-01-07< 1.9.2.3
CVE-2024-56276
Medium 4.7
2024-12-26< 1.9.2.3
CVE-2024-11223
Medium 6.5
2024-12-10≥ 1.8.4 and ≤ 1.9.2.1
CVE-2024-11205
Low 3.5
2024-11-25< 1.9.1.6
CVE-2024-7056
Medium 4.3
2024-11-13< 1.9.2.1
CVE-2024-10593
Medium 5.3
2024-05-02< 1.8.8.2
CVE-2024-3649
N/A
< 1.4.8
Contact Form by WPForms < 1.4.8 - Authenticated Stored Cross-Site Scripting (XSS)
N/A
< 1.4.8.1
Contact Form by WPForms < 1.4.8.1 - Unauthenticated Cross-Site Scripting (XSS)
N/A
< 1.6.0.2
Contact Form by WPForms < 1.6.0.2 - Authenticated Stored Cross-Site Scripting (XSS)
N/A
< 1.7.5.5
Contact Form by WPForms < 1.7.5.5 - Admin+ Arbitrary File Access
Medium 5.8
2023-06-22< 1.8.1.3
CVE-2023-30500
N/A
2018-09-18< 1.4.8
Contact Form by WPForms – Drag & Drop Form Builder for WordPress <= 1.4.7.2 - Stored Cross-Site Scripting
N/A
2018-12-10< 1.4.8.1
Contact Form by WPForms <= 1.4.8 - Reflected Cross-Site Scripting
N/A
2020-05-21< 1.6.0.2
Contact Form by WPForms <= 1.6.0.1 - Cross-Site Scripting
N/A
2022-09-19< 1.7.5.5
Contact Form by WPForms <= 1.7.5.3 - Authenticated (Administrator+) Arbitrary File Access via Path Traversal
N/A
2022-09-19< 1.7.5.5
WordPress Contact Form by WPForms plugin <= 1.7.5.3 - Authenticated Arbitrary File Access vulnerability
N/A
2018-12-07< 1.4.8
WordPress Contact Form by WPForms plugin <= 1.4.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
N/A
2018-12-10< 1.4.8.1
WordPress Contact Form by WPForms plugin <= 1.4.8 - Unauthenticated Cross-Site Scripting (XSS) vulnerability
N/A
2020-07-01< 1.6.0.2
WordPress Contact Form by WPForms plugin <= 1.6.0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Medium 5.4
2020-03-11< 1.5.9
CVE-2020-10385