GCVE - cpe:2.3:a:web-dorado:wp_form_builder:*:*:*:*:*:wordpress:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:web-dorado:wp_form_builder:*:*:*:*:*:wordpress:*:*

part: a version: * update: *

Vendor	Web Dorado (`f49dd84c-ba77-5f19-a979-5332ef037d9d`)
Product	Wp Form Builder (`03215a12-23dd-5039-a055-765a5153a3a3`)
Edition	*
Language	*
Software edition	*
Target software	wordpress
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2024-6520`	vulnerable	2026-06-03 14:58:03.387309	Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.19 - Authenticated (Administrator+) Stored Cross-Site Scripting MEDIUM (4.4) The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom error message in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. Published: 2024-07-27T11:37:29.048Z Updated: 2026-04-08T16:34:37.074Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/0a30d35c-9883-4b0f-83a2-494401c45d8e?source=cve https://wordpress.org/plugins/fluentform/#developers https://plugins.trac.wordpress.org/changeset/3125227/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-5048`	vulnerable	2026-06-03 14:53:46.849890	WDContactFormBuilder <= 1.0.72 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode MEDIUM (6.4) The WDContactFormBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Contact_Form_Builder' shortcode in versions up to, and including, 1.0.72 due to insufficient input sanitization and output escaping on 'id' user supplied attribute. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: 2023-11-22T15:33:27.053Z Updated: 2026-04-08T17:00:33.676Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/7152253a-7bb8-4b5c-bffd-86e46df54b7e?source=cve https://plugins.trac.wordpress.org/browser/contact-form-builder/tags/1.0.72/frontend/views/CFMViewForm_maker.php#L102	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-11557`	vulnerable	2026-06-03 14:39:33.407139	Details available The WebDorado Contact Form Builder plugin before 1.0.69 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized. Published: 2019-04-26T21:42:23.000Z Updated: 2024-08-04T22:55:40.903Z Open on db.gcve.eu Reference links https://lists.openwall.net/full-disclosure/2019/04/23/1 https://wordpress.org/plugins/contact-form-builder/#developers http://seclists.org/fulldisclosure/2019/Apr/35 https://wpvulndb.com/vulnerabilities/9260	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.