Aggregates CVE and security vulnerability intelligence across all wpmudev-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting, vendor risk csrf, and vendor risk path handling and related problems; some flaws may lead to vendor impact session compromise and vendor impact file overwrite.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2017-20206 | The Appointments plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2.1 via deserialization of untrusted input from the `wpmudev_appointments` cookie. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors. | [email protected] | 9.8 | 0.54% | 2025-10-18 | 2025-12-23 |
| CVE-2025-5341 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id' and 'data-size’ parameters in all versions up to, and including, 1.44.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | [email protected] | 6.4 | 0.21% | 2025-06-05 | 2025-07-10 |
| CVE-2024-8492 | The Hustle WordPress plugin through 7.8.5 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | [email protected] | 4.8 | 0.27% | 2025-05-15 | 2025-06-12 |
| CVE-2025-3487 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘limit’ parameter in all versions up to, and including, 1.42.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | [email protected] | 6.4 | 0.56% | 2025-04-17 | 2025-05-28 |
| CVE-2025-3479 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 1.42.0 via the 'handle_stripe_single' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transac | [email protected] | 5.3 | 0.42% | 2025-04-17 | 2025-05-28 |
| CVE-2025-0469 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slider template data in all versions up to, and including, 1.39.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | [email protected] | 6.4 | 0.23% | 2025-02-27 | 2025-03-11 |
| CVE-2024-7052 | The Forminator Forms WordPress plugin before 1.38.3 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | [email protected] | 4.8 | 0.06% | 2025-02-14 | 2025-05-14 |
| CVE-2025-0470 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the title parameter in all versions up to, and including, 1.38.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | [email protected] | 6.1 | 0.82% | 2025-01-31 | 2025-05-23 |
| CVE-2024-37444 | Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform Defender Security defender-security.This issue affects Defender Security: from n/a through <= 4.7.1. | [email protected] | 5.3 | 0.32% | 2024-11-01 | 2026-04-23 |
| CVE-2024-9700 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.36.0 via the submit_quizzes() function due to missing validation on the 'entry_id' user controlled key. This makes it possible for unauthenticated attackers to modify other user's quiz submissions. | [email protected] | 5.3 | 0.23% | 2024-10-31 | 2024-11-25 |
| CVE-2024-10402 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.35.1. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to create new or edit existing forms, including updating the default registration role to Administrator on User Registration forms. | [email protected] | 7.5 | 0.38% | 2024-10-26 | 2025-02-05 |
| CVE-2024-9352 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. This is due to missing or incorrect nonce validation on the custom form 'create_module' function. This makes it possible for unauthenticated attackers to create draft forms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | [email protected] | 4.3 | 0.06% | 2024-10-17 | 2025-01-29 |
| CVE-2024-9351 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. This is due to missing or incorrect nonce validation on the quiz 'create_module' function. This makes it possible for unauthenticated attackers to create draft quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | [email protected] | 4.3 | 0.06% | 2024-10-17 | 2025-01-29 |
| CVE-2024-43117 | Cross-Site Request Forgery (CSRF) vulnerability in WPMU DEV - Your All-in-One WordPress Platform Hummingbird hummingbird-performance.This issue affects Hummingbird: from n/a through <= 3.9.1. | [email protected] | 4.3 | 0.18% | 2024-08-26 | 2026-04-23 |
| CVE-2024-37239 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Branda branda-white-labeling.This issue affects Branda: from n/a through <= 3.4.17. | [email protected] | 5.9 | 0.11% | 2024-07-22 | 2026-04-23 |
| CVE-2024-6554 | The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.4.18. This is due the plugin utilizing composer without preventing direct access to the files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be prese | [email protected] | 5.3 | 0.56% | 2024-07-11 | 2026-04-08 |
| CVE-2024-5191 | The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mime_types’ parameter in all versions up to, and including, 3.4.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | [email protected] | 6.4 | 0.36% | 2024-06-21 | 2026-04-08 |
| CVE-2023-47189 | Improper Authentication vulnerability in WPMU DEV Defender Security allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Defender Security: from n/a through 4.2.0. | [email protected] | 5.3 | 1.00% | 2024-06-04 | 2025-05-29 |
| CVE-2024-25595 | Authentication Bypass by Spoofing vulnerability in WPMU DEV Defender Security allows Functionality Bypass.This issue affects Defender Security: from n/a through 4.4.1. | [email protected] | 5.3 | 0.13% | 2024-05-17 | 2025-05-28 |
| CVE-2022-44581 | Insecure Storage of Sensitive Information vulnerability in WPMU DEV Defender Security allows : Screen Temporary Files for Sensitive Information.This issue affects Defender Security: from n/a through 3.3.2. | [email protected] | 5.0 | 0.33% | 2024-05-17 | 2025-05-28 |