Skip to main content

Cformsii

5 CVEs product

Monthly

CVE-2026-39435 HIGH This Week

Stored/reflected cross-site scripting in the CformsII WordPress plugin (versions ≤ 15.1.3) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser when the crafted content is rendered, enabling session hijacking, credential theft, or actions on behalf of authenticated users including administrators. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 7.1 (UI:R, scope-changed). No public exploit identified at time of analysis and EPSS data was not provided.

XSS Cformsii
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-39436 HIGH This Week

Cross-Site Request Forgery in the CformsII WordPress plugin (bgermann) through version 15.1.3 allows remote unauthenticated attackers to coerce an authenticated victim into submitting forged state-changing requests, resulting in limited integrity loss and high availability impact. No public exploit identified at time of analysis and EPSS sits at 0.01% (4th percentile), indicating very low near-term exploitation probability, and SSVC marks exploitation as none. Patchstack tracks the issue and EUVD-2026-31766 mirrors the advisory.

CSRF Cformsii
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2023-25449 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Oliver Seidel, Bastian Germann cformsII plugin <= 15.0.4 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Cformsii
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2019-15238 HIGH POC This Week

The cforms2 plugin before 15.0.2 for WordPress has CSRF related to the IP address field. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Cformsii
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2014-9473 HIGH POC THREAT Act Now

Unrestricted file upload vulnerability in lib_nonajax.php in the CformsII plugin 14.7 and earlier for WordPress allows remote attackers to execute arbitrary code by uploading a file with an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 39.4%.

RCE WordPress PHP File Upload Cformsii
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
39.4%
Threat
4.2
EPSS 0% CVSS 7.1
HIGH This Week

Stored/reflected cross-site scripting in the CformsII WordPress plugin (versions ≤ 15.1.3) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser when the crafted content is rendered, enabling session hijacking, credential theft, or actions on behalf of authenticated users including administrators. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 7.1 (UI:R, scope-changed). No public exploit identified at time of analysis and EPSS data was not provided.

XSS Cformsii
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery in the CformsII WordPress plugin (bgermann) through version 15.1.3 allows remote unauthenticated attackers to coerce an authenticated victim into submitting forged state-changing requests, resulting in limited integrity loss and high availability impact. No public exploit identified at time of analysis and EPSS sits at 0.01% (4th percentile), indicating very low near-term exploitation probability, and SSVC marks exploitation as none. Patchstack tracks the issue and EUVD-2026-31766 mirrors the advisory.

CSRF Cformsii
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Oliver Seidel, Bastian Germann cformsII plugin <= 15.0.4 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Cformsii
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

The cforms2 plugin before 15.0.2 for WordPress has CSRF related to the IP address field. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Cformsii
NVD
EPSS 39% 4.2 CVSS 7.5
HIGH POC THREAT Act Now

Unrestricted file upload vulnerability in lib_nonajax.php in the CformsII plugin 14.7 and earlier for WordPress allows remote attackers to execute arbitrary code by uploading a file with an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 39.4%.

RCE WordPress PHP +2
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy