This page lists publicly disclosed CVE vulnerabilities affecting web-dorado contact_form_maker (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2019-25734 | Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint with directory traversal sequences in the GET action parameter to load files via CSRF, bypassing authentication on vulnerable AJAX actions. | [email protected] | 5.1 | 0.89% | 2026-06-04 | 2026-06-16 |
| CVE-2018-25347 | WordPress Contact Form Maker Plugin 1.12.20 contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through the FormMakerSQLMapping and generete_csv_fmc AJAX actions. Attackers can inject malicious SQL code via the 'name' and 'search_labels' parameters to extract sensitive database information or escalate privileges. | [email protected] | 7.1 | 0.21% | 2026-05-23 | 2026-06-16 |
| CVE-2023-2655 | The Contact Form by WD WordPress plugin through 1.13.23 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin | [email protected] | 7.2 | 0.92% | 2024-01-16 | 2026-06-17 |
| CVE-2015-2798 | SQL injection vulnerability in Joomla! Component Contact Form Maker 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. | [email protected] | 9.8 | 3.26% | 2017-07-25 | 2026-06-16 |