🧹It's time for some spring cleaning! All researchers earn over 6.25x our normal bounty rates, through May 27th, 2024, when Wordfence handles responsible disclosure for our Spring Cleaning Bug Extravaganza! Learn more about our bug bounty program
Register as a researcher and submit your vulnerabilities today!

FormCraft – Contact Form Builder for WordPress

Wordfence Intelligence > Vulnerability Database > WordPress Plugins > FormCraft – Contact Form Builder for WordPress

Information

Software Type	Plugin
Software Slug	formcraft-form-builder (view on wordpress.org)
Software Status	Active
Software Author	nishncraftsnet
Software Website	ncrafts.net
Software Downloads	107,212
Software Active Installs	4,000
Software Record Last Updated	May 18, 2024

9 Vulnerabilities

FormCraft <= 1.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2023-3501

Aug 2, 2023

Researcher: Sayandeep Dutta

FormCraft <= 1.2.7 - Missing Authorization via formcraft_nag_update

5.3

CVE-2023-47823

Nov 16, 2023

Researcher: Abdi Pranata

FormCraft Basic <= 1.2.5 - Authenticated (Admin+) Stored Cross-Site Scripting

5.5

CVE-2022-1647

May 16, 2022

Researcher: Chiragh Arora

FormCraft <= 1.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via fcb shortcode

6.4

CVE-2023-22717

Apr 19, 2023

Researcher: István Márton

FormCraft Premium <= 3.9.6 - Authenticated(Administrator+) SQL Injection

6.6

CVE-2023-2592

Jun 5, 2023

Researcher: Chien Vuong

FormCraft <= 1.2.1 - Cross-Site Request Forgery

8.8

CVE-2019-5920

Feb 26, 2019

Researcher: Masaki Saito

FormCraft <= 1.2.1 - Cross-Site Request Forgery

8.8

CVE-2019-15114

Feb 26, 2019

Researcher: Masaki Saito

Formcraft3 <= 3.8.27 - Server Side Request Forgery

9.1

CVE-2022-0591

Feb 28, 2022

Researcher: Brandon James Roldan (tomorrowisnew)

FormCraft Basic 1.0.5 - SQL Injection via id Parameter

9.8

CVE-2017-13137

Jul 5, 2017

Researchers: Seyyed Amir Hossein Mir Hosseini, r0m3r0

Title	Status	CVE ID	CVSS	Researchers	Date
FormCraft <= 1.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting	Patched	CVE-2023-3501	4.4	Sayandeep Dutta	August 2, 2023
FormCraft <= 1.2.7 - Missing Authorization via formcraft_nag_update	Patched	CVE-2023-47823	5.3	Abdi Pranata	November 16, 2023
FormCraft Basic <= 1.2.5 - Authenticated (Admin+) Stored Cross-Site Scripting	Patched	CVE-2022-1647	5.5	Chiragh Arora	May 16, 2022
FormCraft <= 1.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via fcb shortcode	Unpatched	CVE-2023-22717	6.4	István Márton	April 19, 2023
FormCraft Premium <= 3.9.6 - Authenticated(Administrator+) SQL Injection	Patched	CVE-2023-2592	6.6	Chien Vuong	June 5, 2023
FormCraft <= 1.2.1 - Cross-Site Request Forgery	Patched	CVE-2019-5920	8.8	Masaki Saito	February 26, 2019
FormCraft <= 1.2.1 - Cross-Site Request Forgery	Patched	CVE-2019-15114	8.8	Masaki Saito	February 26, 2019
Formcraft3 <= 3.8.27 - Server Side Request Forgery	Patched	CVE-2022-0591	9.1	Brandon James Roldan (tomorrowisnew)	February 28, 2022
FormCraft Basic 1.0.5 - SQL Injection via id Parameter	Patched	CVE-2017-13137	9.8	Seyyed Amir Hossein Mir Hosseini, r0m3r0	July 5, 2017

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation