彙總 Brainstormforce 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 路徑處理缺陷、SSRF、SQL 注入與檔案包含,在 生產負載與軟體部署 使用場景中可能帶來 檔案覆寫、未授權存取與資料外洩 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2025-5921 | The SureForms WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both authenticated and unauthenticated users. | [email protected] | 5.8 | 0.33% | 2025-08-01 | 2025-08-06 |
| CVE-2025-6742 | The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of file_exists() in the delete_entry_files() function without restriction on the path provided. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chai | [email protected] | 7.5 | 1.44% | 2025-07-09 | 2025-07-11 |
| CVE-2025-6691 | The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | [email protected] | 8.1 | 1.43% | 2025-07-09 | 2025-07-11 |
| CVE-2025-3514 | The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | [email protected] | 3.5 | 0.17% | 2025-05-02 | 2025-05-28 |
| CVE-2025-3513 | The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | [email protected] | 3.5 | 0.17% | 2025-05-02 | 2025-05-28 |
| CVE-2025-3471 | The SureForms WordPress plugin before 1.4.4 does not have proper authorisation check when updating its settings via the REST API, which could allow Contributor and above roles to perform such action | [email protected] | 4.9 | 0.22% | 2025-04-30 | 2025-05-09 |
| CVE-2024-12713 | The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.2 via the handle_export_form() function due to a missing capability check. This makes it possible for unauthenticated attackers to export data from password protected, private, or draft posts that they should not have access to. | [email protected] | 5.3 | 0.61% | 2025-01-08 | 2025-07-11 |
| CVE-2024-56274 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Astra Widgets astra-widgets allows Stored XSS.This issue affects Astra Widgets: from n/a through <= 1.2.15. | [email protected] | 6.5 | 0.16% | 2025-01-07 | 2026-04-23 |
| CVE-2024-11230 | The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘size’ parameter in all versions up to, and including, 1.6.46 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | [email protected] | 6.4 | 0.25% | 2024-12-23 | 2025-01-29 |
| CVE-2023-23834 | Missing Authorization vulnerability in Brainstorm Force Spectra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through 2.3.0. | [email protected] | 4.3 | 0.42% | 2024-12-09 | 2026-04-28 |
| CVE-2023-23825 | Missing Authorization vulnerability in Brainstorm Force Spectra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through 2.3.0. | [email protected] | 3.1 | 0.36% | 2024-12-09 | 2026-04-28 |
| CVE-2024-10484 | The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Team' widget in all versions up to, and including, 2.16.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | [email protected] | 6.4 | 0.22% | 2024-12-03 | 2025-02-07 |
| CVE-2024-10325 | The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.6.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | [email protected] | 6.4 | 0.22% | 2024-11-08 | 2024-11-13 |
| CVE-2024-37517 | Missing Authorization vulnerability in Brainstorm Force Spectra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through 2.13.7. | [email protected] | 4.3 | 0.33% | 2024-11-01 | 2025-03-06 |
| CVE-2024-50439 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Astra Widgets astra-widgets allows Stored XSS.This issue affects Astra Widgets: from n/a through <= 1.2.14. | [email protected] | 6.5 | 0.14% | 2024-10-28 | 2026-04-23 |
| CVE-2024-10050 | The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 1.6.43 via the hfe_template shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to view the contents of Draft, Private and Password-protected posts they do not own. | [email protected] | 4.3 | 0.47% | 2024-10-24 | 2025-01-29 |
| CVE-2024-7590 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows DOM-Based XSS.This issue affects Spectra: from n/a through <= 2.14.1. | [email protected] | 6.5 | 0.15% | 2024-08-12 | 2026-04-23 |
| CVE-2024-43151 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Brainstorm Force Ultimate Addons for Beaver Builder – Lite allows Stored XSS.This issue affects Ultimate Addons for Beaver Builder – Lite: from n/a through 1.5.9. | [email protected] | 6.5 | 0.15% | 2024-08-12 | 2025-05-27 |
| CVE-2024-33933 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Brainstorm Force, Nikhil Chavan Elementor – Header, Footer & Blocks Template allows DOM-Based XSS.This issue affects Elementor – Header, Footer & Blocks Template: from n/a through 1.6.35. | [email protected] | 6.5 | 0.06% | 2024-07-22 | 2024-11-21 |
| CVE-2024-37278 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Pratik Chaskar Cards for Beaver Builder.This issue affects Cards for Beaver Builder: from n/a through 1.1.4. | [email protected] | 5.9 | 0.07% | 2024-07-22 | 2024-11-21 |