Smart%20Forms%20%E2%80%93%20when%20you%20need%20more%20than%20just%20a%20contact%20form

Smart Forms – when you need more than just a contact form

Source -

CNA

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2025-5055

Assigner-Wordfence

View Details

Assigner-Wordfence

CVSS Score-4.4||MEDIUM

EPSS-0.03% / 7.59%

7 Day CHG~0.00%

Published-24 May, 2025 | 02:23

Updated-28 May, 2025 | 14:58

Smart Forms <= 2.6.98 - Authenticated (Admin+) Stored Cross-Site Scripting

The Smart Forms – when you need more than just a contact form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6.98 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Vendor-edgarrojas

Product-Smart Forms – when you need more than just a contact form

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2022-0163

Assigner-WPScan

View Details

Assigner-WPScan

CVSS Score-6.5||MEDIUM

EPSS-0.43% / 61.57%

7 Day CHG~0.00%

Published-07 Mar, 2022 | 08:16

Updated-02 Aug, 2024 | 23:18

Smart Forms < 2.6.71 - Subscriber+ Form Data Download

The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednao_smart_forms_entries_list AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form.

Vendor-rednao Unknown

Product-smart_forms Smart Forms – when you need more than just a contact form

CWE ID-CWE-862

Missing Authorization