Crmperks Database Contact Form 7 Wpforms Elementor Forms
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Crmperks Database Contact Form 7 Wpforms Elementor Forms.
By the Year
In 2026 there have been 4 vulnerabilities in Crmperks Database Contact Form 7 Wpforms Elementor Forms with an average score of 6.9 out of ten. Last year, in 2025 Database Contact Form 7 Wpforms Elementor Forms had 1 security vulnerability published. That is, 3 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 2.93
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 4 | 6.88 |
| 2025 | 1 | 9.80 |
| 2024 | 4 | 7.15 |
| 2023 | 2 | 7.25 |
It may take a day or so for new Database Contact Form 7 Wpforms Elementor Forms vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Crmperks Database Contact Form 7 Wpforms Elementor Forms Security Vulnerabilities
WordPress Contact-Form-7-DB v1.5.1: File Deletion Unauth RCE
CVE-2026-9843
8.1 - High
- June 20, 2026
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the view_page function in all versions up to, and including, 1.5.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Successful exploitation requires an administrator to view or edit the poisoned form entry, at which point PHP's bracket parser reshapes the attacker-crafted JSON key to bypass the stored-path isset check and trigger deletion of the traversal-specified file.
Directory traversal
WordPress Form Plugins 1.4.9 Auth Cap Check Missing (Data Leak)
CVE-2026-3831
4.3 - Medium
- April 01, 2026
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the entries_shortcode() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract all form submissions - including names, emails, phone numbers.
AuthZ
PHP Object Injection via download_csv in Contact Form 7 Database 1.4.7
CVE-2026-2599
9.8 - Critical
- March 05, 2026
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input in the 'download_csv' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Marshaling, Unmarshaling
Auth Bypass: WordPress Form DB CSV Export <=1.4.5
CVE-2026-0825
5.3 - Medium
- January 28, 2026
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download sensitive form submission data containing personally identifiable information (PII) by accessing the CSV export endpoint with an export key that is exposed in publicly accessible page source code. The vulnerability is created because while the shortcode properly filters displayed entries by user, the CSV export handler completely bypasses this filtering and exports all entries regardless of user permissions.
AuthZ
PHP Object Injection in Contact Form 7 <=1.4.3 get_lead_detail - RCE
CVE-2025-7384
9.8 - Critical
- August 13, 2025
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input in the get_lead_detail function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
Marshaling, Unmarshaling
WPForms/CF7 Stored XSS in Forms DB (1.3.8)
CVE-2024-3715
7.2 - High
- May 02, 2024
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
Stored XSS in Contact Form 7 WPForms Elementor Forms (1.3.3)
CVE-2024-2030
6.4 - Medium
- March 13, 2024
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
Arbitrary File Upload in WP Contact Form Entries 1.3.2 via view_page
CVE-2024-1069
7.2 - High
- January 31, 2024
The Contact Form Entries plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'view_page' function in versions up to, and including, 1.3.2. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Unrestricted File Upload
CSV Injection in Contact Form Entries WP Plugin before 1.3.0
CVE-2022-3604
7.8 - High
- January 16, 2024
The Contact Form Entries WordPress plugin before 1.3.0 does not validate data when its output in a CSV file, which could lead to CSV injection.
CSV Injection
CRM Perks Integration for HubSpot <=1.2.8 Open Redirect
CVE-2023-31095
4.7 - Medium
- December 29, 2023
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms.This issue affects Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through 1.2.8.
Open Redirect
WordPress Plugin CRM Perks DB <=1.3.0 SQL Injection via Contact Form Entries
CVE-2023-31212
9.8 - Critical
- October 31, 2023
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks Database for Contact Form 7, WPforms, Elementor forms contact-form-entries allows SQL Injection.This issue affects Database for Contact Form 7, WPforms, Elementor forms: from n/a through 1.3.0.
SQL Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Crmperks Database Contact Form 7 Wpforms Elementor Forms or by Crmperks? Click the Watch button to subscribe.
