Search Results (43 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-9145 2 Crmperks, Wordpress 2 Database For Contact Form 7, Wpforms, Elementor Forms, Wordpress 2026-07-02 6.5 Medium
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Arbitrary File Copy via the create_entry_el() function in versions up to, and including, 1.5.1. The function reads raw_value from Elementor Pro's Form_Record object for upload-type fields and passes it directly to PHP's copy() without validating that the value corresponds to a legitimately uploaded file — when no file is present in $_FILES, raw_value reflects the attacker-controlled POST string. copy() accepts both local filesystem paths and URL sources, so the attacker can target any file readable by the PHP process or supply an attacker-controlled remote URL. Elementor Pro is a prerequisite for triggering the code path (it owns the elementor_pro/forms/new_record hook and populates the Form_Record object), but the bug itself is entirely in Contact Form Entries' handler. This could allow unauthenticated attackers to disclose arbitrary files on the affected site's server. The file is copied to a directory unknown to the attacker; the hashed directory name provides defense-in-depth but is generated from non-cryptographic sources (uniqid() + rand()) and should not be relied upon as the primary mitigation.
CVE-2026-9843 2 Crmperks, Wordpress 2 Database For Contact Form 7, Wpforms, Elementor Forms, Wordpress 2026-06-22 8.1 High
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the view_page function in all versions up to, and including, 1.5.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Successful exploitation requires an administrator to view or edit the poisoned form entry, at which point PHP's bracket parser reshapes the attacker-crafted JSON key to bypass the stored-path isset check and trigger deletion of the traversal-specified file.
CVE-2026-49106 2 Crmperks, Wordpress 2 Integration For Contact Form 7 And Constant Contact, Wordpress 2026-06-16 9.8 Critical
Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact <= 1.1.6 versions.
CVE-2026-49085 2 Crmperks, Wordpress 2 Wp Insightly For Contact Form 7, Wpforms, Elementor, Formidable And Ninja Forms, Wordpress 2026-06-16 9.8 Critical
Unauthenticated PHP Object Injection in WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.
CVE-2026-49105 2 Crmperks, Wordpress 2 Wp Zendesk For Contact Form 7, Wpforms, Elementor, Formidable And Ninja Forms, Wordpress 2026-06-16 9.8 Critical
Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.
CVE-2026-32527 2 Crmperks, Wordpress 2 Wp Insightly For Contact Form 7, Wpforms, Elementor, Formidable And Ninja Forms, Wordpress 2026-04-29 6.5 Medium
Missing Authorization vulnerability in CRM Perks WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms cf7-insightly allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms: from n/a through <= 1.1.5.
CVE-2023-31212 1 Crmperks 1 Database For Contact Form 7\, Wpforms\, Elementor Forms 2026-04-28 8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks Database for Contact Form 7, WPforms, Elementor forms contact-form-entries allows SQL Injection.This issue affects Database for Contact Form 7, WPforms, Elementor forms: from n/a through 1.3.0.
CVE-2024-34756 1 Crmperks 1 Integration For Constant Contact And Contact Form 7\, Wpforms\, Elementor\, Ninja 2026-04-28 4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Contact Form 7 HubSpot.This issue affects Integration for Contact Form 7 HubSpot: from n/a through 1.3.1.
CVE-2024-30498 1 Crmperks 1 Crm Perks Forms 2026-04-28 9.3 Critical
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks CRM Perks Forms.This issue affects CRM Perks Forms: from n/a through 1.1.4.
CVE-2024-30499 1 Crmperks 1 Crm Perks Forms 2026-04-28 8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks CRM Perks Forms.This issue affects CRM Perks Forms: from n/a through 1.1.4.
CVE-2024-30446 1 Crmperks 1 Crm Perks Forms 2026-04-28 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks CRM Perks Forms allows Stored XSS.This issue affects CRM Perks Forms: from n/a through 1.1.4.
CVE-2023-51536 1 Crmperks 1 Crm Perks Forms 2026-04-28 5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks CRM Perks Forms – WordPress Form Builder allows Stored XSS.This issue affects CRM Perks Forms – WordPress Form Builder: from n/a through 1.1.2.
CVE-2023-47779 1 Crmperks 1 Integration For Constant Contact And Contact Form 7\, Wpforms\, Elementor\, Ninja 2026-04-28 4.7 Medium
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks. Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms.This issue affects Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through 1.1.4.
CVE-2023-38481 1 Crmperks 1 Integration For Woocommerce And Zoho Crm\, Books\, Invoice\, Inventory\, Bigin 2026-04-28 4.7 Medium
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin.This issue affects Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin: from n/a before 1.3.7.
CVE-2023-38478 1 Crmperks 1 Integration For Woocommerce And Quickbooks 2026-04-28 4.7 Medium
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for WooCommerce and QuickBooks.This issue affects Integration for WooCommerce and QuickBooks: from n/a through 1.2.3.
CVE-2023-37982 1 Crmperks 1 Integration For Salesforce And Contact Form 7\, Wpforms\, Elementor\, Ninja Forms 2026-04-28 4.7 Medium
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for Salesforce and Contact Form 7, WPForms, Elementor, Ninja Forms.This issue affects Integration for Salesforce and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through 1.3.3.
CVE-2023-31095 1 Crmperks 1 Database For Contact Form 7\, Wpforms\, Elementor Forms 2026-04-28 4.7 Medium
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms.This issue affects Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through 1.2.8.
CVE-2025-60089 3 Crm Perks, Crmperks, Wordpress 3 Wp Gravity Forms Freshdesk Plugin, Wp Gravity Forms Freshdesk Plugin, Wordpress 2026-04-24 9.8 Critical
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin gf-freshdesk allows Object Injection.This issue affects WP Gravity Forms FreshDesk Plugin: from n/a through <= 1.3.5.
CVE-2025-60090 3 Crm Perks, Crmperks, Wordpress 3 Wp Gravity Forms Insightly, Wp Gravity Forms Insightly, Wordpress 2026-04-24 9.8 Critical
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Insightly gf-insightly allows Object Injection.This issue affects WP Gravity Forms Insightly: from n/a through <= 1.1.6.
CVE-2025-60091 3 Crm Perks, Crmperks, Wordpress 3 Wp Gravity Forms Zoho Crm And Bigin, Wp Gravity Forms Zoho Crm And Bigin, Wordpress 2026-04-24 9.8 Critical
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Zoho CRM and Bigin gf-zoho allows Object Injection.This issue affects WP Gravity Forms Zoho CRM and Bigin: from n/a through <= 1.2.9.