汇总 Brainstormforce 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
常见弱点模式包括 路径处理缺陷、SSRF、SQL 注入与文件包含,在 生产负载与软件部署 使用场景中可能带来 文件覆盖、未授权访问与数据泄露 等风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2025-5921 | The SureForms WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both authenticated and unauthenticated users. | [email protected] | 5.8 | 0.33% | 2025-08-01 | 2025-08-06 |
| CVE-2025-6742 | The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of file_exists() in the delete_entry_files() function without restriction on the path provided. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chai | [email protected] | 7.5 | 1.44% | 2025-07-09 | 2025-07-11 |
| CVE-2025-6691 | The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | [email protected] | 8.1 | 1.43% | 2025-07-09 | 2025-07-11 |
| CVE-2025-3514 | The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | [email protected] | 3.5 | 0.17% | 2025-05-02 | 2025-05-28 |
| CVE-2025-3513 | The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | [email protected] | 3.5 | 0.17% | 2025-05-02 | 2025-05-28 |
| CVE-2025-3471 | The SureForms WordPress plugin before 1.4.4 does not have proper authorisation check when updating its settings via the REST API, which could allow Contributor and above roles to perform such action | [email protected] | 4.9 | 0.07% | 2025-04-30 | 2025-05-09 |
| CVE-2024-12713 | The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.2 via the handle_export_form() function due to a missing capability check. This makes it possible for unauthenticated attackers to export data from password protected, private, or draft posts that they should not have access to. | [email protected] | 5.3 | 0.61% | 2025-01-08 | 2025-07-11 |
| CVE-2024-56274 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Astra Widgets astra-widgets allows Stored XSS.This issue affects Astra Widgets: from n/a through <= 1.2.15. | [email protected] | 6.5 | 0.16% | 2025-01-07 | 2026-04-23 |
| CVE-2024-11230 | The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘size’ parameter in all versions up to, and including, 1.6.46 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | [email protected] | 6.4 | 0.25% | 2024-12-23 | 2025-01-29 |
| CVE-2023-23834 | Missing Authorization vulnerability in Brainstorm Force Spectra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through 2.3.0. | [email protected] | 4.3 | 0.42% | 2024-12-09 | 2026-04-28 |
| CVE-2023-23825 | Missing Authorization vulnerability in Brainstorm Force Spectra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through 2.3.0. | [email protected] | 3.1 | 0.36% | 2024-12-09 | 2026-04-28 |
| CVE-2024-10484 | The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Team' widget in all versions up to, and including, 2.16.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | [email protected] | 6.4 | 0.22% | 2024-12-03 | 2025-02-07 |
| CVE-2024-10325 | The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.6.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | [email protected] | 6.4 | 0.22% | 2024-11-08 | 2024-11-13 |
| CVE-2024-37517 | Missing Authorization vulnerability in Brainstorm Force Spectra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through 2.13.7. | [email protected] | 4.3 | 0.33% | 2024-11-01 | 2025-03-06 |
| CVE-2024-50439 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Astra Widgets astra-widgets allows Stored XSS.This issue affects Astra Widgets: from n/a through <= 1.2.14. | [email protected] | 6.5 | 0.14% | 2024-10-28 | 2026-04-23 |
| CVE-2024-10050 | The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 1.6.43 via the hfe_template shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to view the contents of Draft, Private and Password-protected posts they do not own. | [email protected] | 4.3 | 0.47% | 2024-10-24 | 2025-01-29 |
| CVE-2024-7590 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows DOM-Based XSS.This issue affects Spectra: from n/a through <= 2.14.1. | [email protected] | 6.5 | 0.15% | 2024-08-12 | 2026-04-23 |
| CVE-2024-43151 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Brainstorm Force Ultimate Addons for Beaver Builder – Lite allows Stored XSS.This issue affects Ultimate Addons for Beaver Builder – Lite: from n/a through 1.5.9. | [email protected] | 6.5 | 0.15% | 2024-08-12 | 2025-05-27 |
| CVE-2024-33933 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Brainstorm Force, Nikhil Chavan Elementor – Header, Footer & Blocks Template allows DOM-Based XSS.This issue affects Elementor – Header, Footer & Blocks Template: from n/a through 1.6.35. | [email protected] | 6.5 | 0.06% | 2024-07-22 | 2024-11-21 |
| CVE-2024-37278 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Pratik Chaskar Cards for Beaver Builder.This issue affects Cards for Beaver Builder: from n/a through 1.1.4. | [email protected] | 5.9 | 0.07% | 2024-07-22 | 2024-11-21 |