Skip to main content

Contact Form 7 Database Addon

5 CVEs product

Monthly

CVE-2025-6740 MEDIUM PATCH This Month

The Contact Form 7 Database Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tmpD’ parameter in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Contact Form 7 Database Addon PHP
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2022-3634 CRITICAL POC Act Now

The Contact Form 7 Database Addon WordPress plugin before 1.2.6.5 does not validate data when output it back in a CSV file, which could lead to CSV injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection WordPress Contact Form 7 Database Addon
NVD WPScan
CVSS 3.1
9.8
EPSS
3.6%
CVE-2021-36886 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability discovered in Contact Form 7 Database Addon - CFDB7 WordPress plugin (versions <= 1.2.5.9). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress Contact Form 7 Database Addon
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2021-36885 MEDIUM This Month

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in Contact Form 7 Database Addon - CFDB7 WordPress plugin (versions <= 1.2.6.1). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Contact Form 7 Database Addon
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-24144 HIGH This Week

Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection Contact Form 7 Database Addon
NVD WPScan
CVSS 3.1
7.8
EPSS
1.2%
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

The Contact Form 7 Database Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tmpD’ parameter in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Contact Form 7 Database Addon +1
NVD
EPSS 4% CVSS 9.8
CRITICAL POC Act Now

The Contact Form 7 Database Addon WordPress plugin before 1.2.6.5 does not validate data when output it back in a CSV file, which could lead to CSV injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection WordPress Contact Form 7 Database Addon
NVD WPScan
EPSS 1% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability discovered in Contact Form 7 Database Addon - CFDB7 WordPress plugin (versions <= 1.2.5.9). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress Contact Form 7 Database Addon
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in Contact Form 7 Database Addon - CFDB7 WordPress plugin (versions <= 1.2.6.1). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Contact Form 7 Database Addon
NVD
EPSS 1% CVSS 7.8
HIGH This Week

Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection Contact Form 7 Database Addon
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy