Approved changes feed: RSS · Atom

cpe:2.3:a:wpforms:contact_form:*:*:*:*:*:wordpress:*:*

part: a version: * update: *

VendorWpforms (a5101ed2-31b2-593d-b803-e4eaf9633dac)
ProductContact Form (6c13c43d-c428-5231-a995-d0fac3c53d16)
Edition*
Language*
Software edition*
Target softwarewordpress
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/milindmore22/wpforms-lite purl2cpe 2026-06-01 10:16:42.959852

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2024-11273 vulnerable 2026-06-08 06:23:49.285616 Contact Form & SMTP Plugin for WordPress by PirateForms < 2.6.0 - Admin+ Stored XSS
The Contact Form & SMTP Plugin for WordPress by PirateForms WordPress plugin before 2.6.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Published: 2025-03-25T06:00:10.410Z
Updated: 2025-03-25T13:57:42.934Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-30500 vulnerable 2026-06-08 06:04:39.675679 WordPress WPForms plugins - Reflected Cross Site Scripting (XSS) vulnerability
MEDIUM (5.8)
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPForms WPForms Lite (wpforms-lite), WPForms WPForms Pro (wpforms) plugins <= 1.8.1.2 versions.
Published: 2023-06-22T11:45:21.403Z
Updated: 2026-04-28T16:08:19.258Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2020-10385 vulnerable 2026-06-08 05:16:35.165790 Details available
A stored cross-site scripting (XSS) vulnerability exists in the WPForms Contact Form (aka wpforms-lite) plugin before 1.5.9 for WordPress.
Published: 2020-03-11T04:07:16.000Z
Updated: 2024-08-04T10:58:40.560Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2019-25145 vulnerable 2026-06-08 05:13:42.012738 Contact Form & SMTP Plugin by PirateForms <= 2.5.1 - Unauthenticated HTML injection
HIGH (7.2)
The Contact Form & SMTP Plugin by PirateForms plugin for WordPress is vulnerable to HTML injection in the ‘public/class-pirateforms-public.php’ file in versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary HTML in emails that could be used to phish unsuspecting victims.
Published: 2023-06-07T01:51:33.912Z
Updated: 2026-04-08T17:11:43.738Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.