Web Dorado Web Dorado

  1. Vendors
  2. Web Dorado

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Web Dorado product.

RSS Feeds for Web Dorado security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Web Dorado products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Web Dorado Sorted by Most Security Vulnerabilities since 2018

Web Dorado Contact Form Maker3 vulnerabilities

Web Dorado Wp Form Builder3 vulnerabilities

Web Dorado Form Maker2 vulnerabilities

Web Dorado Spidervplayer2 vulnerabilities

Web Dorado Wd Instagram Feed2 vulnerabilities

Web Dorado Wdsocialwidgets2 vulnerabilities

Web Dorado Backup Wd1 vulnerability

Web Dorado Contact Form1 vulnerability

Web Dorado Contact Form Builder1 vulnerability

Web Dorado Event Calendar Wd1 vulnerability

Web Dorado Gallery Wd1 vulnerability

Web Dorado Spidercatalog1 vulnerability

Web Dorado Wd Widgettwitter1 vulnerability

By the Year

In 2026 there have been 2 vulnerabilities in Web Dorado with an average score of 5.6 out of ten. Web Dorado did not have any published security vulnerabilities last year. That is, 2 more vulnerabilities have already been reported in 2026 as compared to last year.




Year Vulnerabilities Average Score
2026 2 5.55
2025 0 0.00
2024 2 5.80
2023 6 6.83
2022 0 0.00
2021 2 6.00
2020 0 0.00
2019 3 7.67
2018 5 9.80

It may take a day or so for new Web Dorado vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Web Dorado Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2019-25734 Jun 04, 2026
WordPress Contact Form by WD 1.13.1 CSRF+LFI via unsanitized action parameter Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint with directory traversal sequences in the GET action parameter to load files via CSRF, bypassing authentication on vulnerable AJAX actions.
Contact Form Maker
CVE-2018-25347 May 23, 2026
WordPress Contact Form Maker 1.12.20 SQLi via FMSQLMap & generete_csv_fmc WordPress Contact Form Maker Plugin 1.12.20 contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through the FormMakerSQLMapping and generete_csv_fmc AJAX actions. Attackers can inject malicious SQL code via the 'name' and 'search_labels' parameters to extract sensitive database information or escalate privileges.
Contact Form Maker
CVE-2024-6520 Jul 27, 2024
WP Fluent Forms Stored XSS 5.1.19 for Admins The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom error message in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Wp Form Builder
CVE-2023-2655 Jan 16, 2024
SQLi via Unsanitized Param in wd CF 1.13.23 WordPress Plugin The Contact Form by WD WordPress plugin through 1.13.23 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
Contact Form Maker
CVE-2023-48320 Nov 30, 2023
SpiderVPlayer <=1.5.22 Stored XSS via Improper Input Sanitization Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebDorado SpiderVPlayer allows Stored XSS.This issue affects SpiderVPlayer: from n/a through 1.5.22.
Spidervplayer
CVE-2023-5048 Nov 22, 2023
WDContactFormBuilder 1.0.72 Stored XSS via Contact_Form_Builder shortcode The WDContactFormBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Contact_Form_Builder' shortcode in versions up to, and including, 1.0.72 due to insufficient input sanitization and output escaping on 'id' user supplied attribute. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Contact Form Builder
Wp Form Builder
CVE-2023-46619 Nov 13, 2023
CSRF in WebDorado WDSocialWidgets Plugin v1.0.15 and earlier Cross-Site Request Forgery (CSRF) vulnerability in WebDorado WDSocialWidgets plugin <= 1.0.15 versions.
Wdsocialwidgets
CVE-2023-5709 Nov 07, 2023
WordPress WD WidgetTwitter SQLi via shortcode (v1.0.9) The WD WidgetTwitter plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 1.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Wd Widgettwitter
CVE-2023-46090 Oct 26, 2023
Unauth XSS in WebDorado WDSocialWidgets <=1.0.15 Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WebDorado WDSocialWidgets plugin <= 1.0.15 versions.
Wdsocialwidgets
CVE-2023-45632 Oct 18, 2023
Unauth Reflected XSS in WebDorado SpiderVPlayer <=1.5.22 Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WebDorado SpiderVPlayer plugin <= 1.5.22 versions.
Spidervplayer
CVE-2021-24625 Nov 08, 2021
The SpiderCatalog WordPress plugin through 1.7.3 does not sanitise or escape the 'parent' and 'ordering' parameters The SpiderCatalog WordPress plugin through 1.7.3 does not sanitise or escape the 'parent' and 'ordering' parameters from the admin dashboard before using them in a SQL statement, leading to a SQL injection when adding a category
Spidercatalog
CVE-2021-24426 Jul 12, 2021
The Backup by 10Web â Backup and Restore Plugin WordPress plugin through 1.0.20 does not sanitise or escape the tab parameter before outputting it back in the page The Backup by 10Web â Backup and Restore Plugin WordPress plugin through 1.0.20 does not sanitise or escape the tab parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue
Backup Wd
CVE-2019-11591 Apr 29, 2019
The WebDorado Contact Form plugin before 1.13.5 for WordPress The WebDorado Contact Form plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized.
Contact Form
CVE-2019-11557 Apr 26, 2019
The WebDorado Contact Form Builder plugin before 1.0.69 for WordPress The WebDorado Contact Form Builder plugin before 1.0.69 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized.
Wp Form Builder
CVE-2018-16164 Jan 09, 2019
Cross-site scripting vulnerability in Event Calendar WD version 1.1.21 and earlier Cross-site scripting vulnerability in Event Calendar WD version 1.1.21 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.
Event Calendar Wd
CVE-2018-10504 Apr 27, 2018
The WebDorado "Form Maker by WD" plugin before 1.12.24 for WordPress The WebDorado "Form Maker by WD" plugin before 1.12.24 for WordPress allows CSV injection.
Form Maker
CVE-2018-10301 Apr 23, 2018
Cross-site scripting (XSS) vulnerability in the Web-Dorado Instagram Feed WD plugin before 1.3.1 Premium for WordPress Cross-site scripting (XSS) vulnerability in the Web-Dorado Instagram Feed WD plugin before 1.3.1 Premium for WordPress allows remote attackers to inject arbitrary web script or HTML by passing payloads in a comment on an Instagram post.
Wd Instagram Feed
CVE-2018-10300 Apr 23, 2018
Cross-site scripting (XSS) vulnerability in the Web-Dorado Instagram Feed WD plugin before 1.3.1 for WordPress Cross-site scripting (XSS) vulnerability in the Web-Dorado Instagram Feed WD plugin before 1.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML by passing payloads in an Instagram profile's bio.
Wd Instagram Feed
CVE-2018-5981 Feb 17, 2018
SQL Injection exists in the Gallery WD 1.3.6 component for Joomla! SQL Injection exists in the Gallery WD 1.3.6 component for Joomla! via the tag_id parameter or gallery_id parameter.
Gallery Wd
CVE-2018-5991 Feb 17, 2018
SQL Injection exists in the Form Maker 3.6.12 component for Joomla! SQL Injection exists in the Form Maker 3.6.12 component for Joomla! via the id, from, or to parameter in a view=stats request, a different vulnerability than CVE-2015-2798.
Form Maker
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.