Vulnerabilities > Fluentforms
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-27 | CVE-2024-0618 | Cross-site Scripting vulnerability in Fluentforms Contact Form The Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via imported form titles in all versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping. | 4.8 |
| 2023-10-31 | CVE-2023-24410 | Unspecified vulnerability in Fluentforms Contact Form Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Contact Form - WPManageNinja LLC Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms fluentform allows SQL Injection.This issue affects Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms: from n/a through 4.3.25. | 9.8 |
| 2023-04-10 | CVE-2023-0546 | Unspecified vulnerability in Fluentforms Contact Form The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the form. | 5.4 |
| 2022-11-07 | CVE-2022-3463 | Unspecified vulnerability in Fluentforms Contact Form The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection | 9.8 |
| 2021-07-07 | CVE-2021-34620 | Cross-Site Request Forgery (CSRF) vulnerability in Fluentforms Contact Form The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions | 8.8 |