Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

wpmudev — Vulnerabilities & Security Advisories 43

Browse all 43 CVE security advisories affecting wpmudev. AI-powered Chinese analysis, POCs, and references for each vulnerability.

WPMU DEV operates as a provider of WordPress plugins, themes, and hosting services, primarily targeting website administrators and developers seeking integrated digital asset management solutions. Security audits have identified forty-one Common Vulnerabilities and Exposures (CVEs) associated with its ecosystem, reflecting a pattern of recurring issues within its software portfolio. Historically, these vulnerabilities predominantly manifest as remote code execution, cross-site scripting, and privilege escalation flaws, often stemming from insufficient input validation and inadequate access controls in plugin code. While no single catastrophic data breach has been publicly documented as a direct result of these specific CVEs, the high volume of disclosed issues indicates systemic weaknesses in the development lifecycle. The company has responded to these findings through regular patch releases, yet the persistent nature of these defects suggests ongoing challenges in maintaining rigorous security standards across its diverse range of WordPress extensions.

Top products by wpmudev: Forminator Forms – Contact Form, Payment Form & Custom Form Builder Hustle – Email Marketing, Lead Generation, Optins, Popups Branda – White Label & Branding, Free Login Page Customizer Broken Link Checker SmartCrawl SEO checker, analyzer & optimizer Defender Security – Malware Scanner, Login Security & Firewall Smush – Image Optimization, Compression, Lazy Load, WebP & CDN Appointments Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN
CVE IDTitleCVSSSeverityPublished
CVE-2026-6214 Forminator Forms <= 1.53.0 - Missing Authorization to Authenticated (Subscriber+) Scheduled Form Submission Export via forminator_export_entries Action on wp_loaded Hook — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-862 6.5 Medium2026-05-07
CVE-2026-6222 Forminator Forms <= 1.51.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'forminator_action' Parameter — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-862 5.3 Medium2026-05-07
CVE-2026-5192 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.52.1 - Unauthenticated Arbitrary File Read via 'upload-1[file][file_path]' — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-22 7.5 High2026-05-05
CVE-2026-2729 Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.52.0 - Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass via 'paymentid' Parameter — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-639 5.3 Medium2026-05-05
CVE-2026-2263 Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.10.2 - Missing Authorization to Unauthenticated Conversion Tracking Data Manipulation — Hustle – Email Marketing, Lead Generation, Optins, PopupsCWE-862 5.3 Medium2026-04-07
CVE-2026-2002 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.50.2 - Authenticated (Administrator+) Stored Cross-Site Scripting — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-79 4.4 Medium2026-02-17
CVE-2026-0911 Hustle <= 7.8.9.2 - Authenticated (Subscriber+) Arbitrary File Upoload via Module Import — Hustle – Email Marketing, Lead Generation, Optins, PopupsCWE-434 7.5 High2026-01-24
CVE-2025-14782 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.49.1 - Missing Authorization to Authenticated (Forminator User+) CSV Export — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-862 5.3 Medium2026-01-09
CVE-2025-14998 Branda – White Label & Branding, Free Login Page Customizer <= 3.4.24 - Unauthenticated Privilege Escalation via Account Takeover — Branda – White Label & Branding, Free Login Page CustomizerCWE-639 9.8 Critical2026-01-02
CVE-2025-14437 Hummingbird <= 3.18.0 - Unauthenticated Sensitive Information Exposure via Log File — Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDNCWE-532 7.5 High2025-12-18
CVE-2017-20206 Appointments <= 2.2.1 - Unauthenticated PHP Object Injection — AppointmentsCWE-502 9.8 Critical2025-10-18
CVE-2025-11163 SmartCrawl SEO checker, analyzer & optimizer <= 3.14.3 - Missing Authorization to Plugin Settings Update — SmartCrawl SEO checker, analyzer & optimizerCWE-284 4.3 Medium2025-09-30
CVE-2025-7638 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.45.0 - Authenticated (Administrator+) SQL Injection via `order_by` Parameter — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-89 4.9 Medium2025-07-18
CVE-2025-6464 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated PHP Object Injection (PHAR) Triggered via Administrator Form Submission Deletion — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-502 7.5 High2025-07-02
CVE-2025-6463 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-73 8.8 High2025-07-02
CVE-2025-5341 Forminator <= 1.44.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via id and data-size Parameters — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-79 6.4 Medium2025-06-05
CVE-2025-4047 Broken Link Checker <= 2.4.4 - Missing Autorization to Authenticated (Subscriber+) Plugin Status Dashboard View — Broken Link CheckerCWE-862 4.3 Medium2025-06-03
CVE-2025-3487 Forminator <= 1.42.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'limit' — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-79 6.4 Medium2025-04-17
CVE-2025-3479 Forminator <= 1.42.0 - Order Replay Vulnerability — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-354 5.3 Medium2025-04-17
CVE-2025-0469 Forminator <= 1.39.2 - Authenticated (Contributor+) Stored Cross-Site Scripting — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-79 6.4 Medium2025-02-27
CVE-2025-0470 Forminator <= 1.38.2 - Reflected Cross-Site Scripting via Title Parameter — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-79 6.1 Medium2025-01-31
CVE-2024-10580 Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.5 - Missing Authorization to Unauthorized Form Submission — Hustle – Email Marketing, Lead Generation, Optins, PopupsCWE-862 5.3 Medium2024-11-27
CVE-2024-10579 Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.5 - Missing Authorization to Unpublished Form Exposure — Hustle – Email Marketing, Lead Generation, Optins, PopupsCWE-862 4.3 Medium2024-11-26
CVE-2024-9371 Branda – White Label & Branding, Custom Login Page Customizer <= 3.4.19 - Reflected Cross-Site Scripting — Branda – White Label & Branding, Free Login Page CustomizerCWE-79 6.1 Medium2024-11-21
CVE-2024-9700 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.36.0 - Insecure Direct Object Reference to Submission Manipulation — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-639 5.3 Medium2024-10-31
CVE-2024-10402 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 - Missing Authorization to Authenticated (Contributor+) Form Update and Creation — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-862 7.5 High2024-10-26
CVE-2024-9351 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 - Cross-Site Request Forgery to Draft Quiz Creation — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-352 4.3 Medium2024-10-17
CVE-2024-9352 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 - Cross-Site Request Forgery to Draft Custom Form Creation — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-352 4.3 Medium2024-10-17
CVE-2024-8981 Broken Link Checker <= 2.4.0 - Reflected Cross-Site Scripting — Broken Link CheckerCWE-80 7.1 High2024-10-01
CVE-2024-7389 Forminator <= 1.29.1 - HubSpot Developer API Key Sensitive Information Exposure — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-522 7.5 High2024-08-02

This page lists every published CVE security advisory associated with wpmudev. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.