Rocklobster Contact Form 7 — known CVE vulnerabilities
Every CVE whose affected-product data names Rocklobster Contact Form 7, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (9)
CVE-2020-35489 — CVSS 10.0 (critical): The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because…
CVE-2018-20979 — CVSS 9.8 (critical): The contact-form-7 plugin before 5.0.4 for WordPress has privilege escalation because of capability_type mishandling in register_post_type.
CVE-2021-24159 — CVSS 8.8 (high): Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject…
CVE-2023-6449 — CVSS 6.6 (medium): The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate'…
CVE-2024-2242 — CVSS 6.1 (medium): The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter in all versions…
CVE-2024-4704 — CVSS 6.1 (medium): The Contact Form 7 WordPress plugin before 5.9.5 has an open redirect that allows an attacker to utilize a false URL and redirect to the…
CVE-2025-3247 — CVSS 5.3 (medium): The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the…
CVE-2014-2265 — CVSS 5.0 (medium): Rock Lobster Contact Form 7 before 3.7.2 allows remote attackers to bypass the CAPTCHA protection mechanism and submit arbitrary form data…
CVE-2023-6630 — CVSS 4.3 (medium): The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to…