ncrafts CVE Vulnerabilities & Metrics

Focus on ncrafts vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About ncrafts Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with ncrafts. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total ncrafts CVEs: 8
Earliest CVE date: 20 Dec 2013, 23:55 UTC
Latest CVE date: 18 Feb 2025, 11:15 UTC

Latest CVE reference: CVE-2025-0817

Rolling Stats

30-day Count (Rolling): 2
365-day Count (Rolling): 2

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical ncrafts CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 3.12

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	6
4.0-6.9	2
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS ncrafts CVEs

These are the five CVEs with the highest CVSS scores for ncrafts, sorted by severity first and recency.

CVE-2013-7187 ncrafts Published on 20 Dec 2013, 23:55 UTC (CVSS: 7.5)
SQL injection vulnerability in form.php in the FormCraft plugin 1.3.7 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2019-15114 ncrafts Published on 16 Aug 2019, 21:15 UTC (CVSS: 6.8)
The formcraft-form-builder plugin before 1.2.2 for WordPress has CSRF.
CVE-2019-5920 ncrafts Published on 12 Mar 2019, 22:29 UTC (CVSS: 6.8)
Cross-site request forgery (CSRF) vulnerability in FormCraft 1.2.1 and earlier allows remote attackers to hijack the authentication of administrators via a specially crafted page.
CVE-2022-1647 ncrafts Published on 08 Jun 2022, 10:15 UTC (CVSS: 3.5)
The FormCraft WordPress plugin before 1.2.6 does not sanitise and escape Field Labels, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVE-2017-18600 ncrafts Published on 10 Sep 2019, 12:15 UTC (CVSS: 3.5)
The formcraft3 plugin before 3.4 for WordPress has stored XSS via the "New Form > Heading > Heading Text" field.

All CVEs for ncrafts

CVE-2025-0817 ncrafts vulnerability CVSS: 0 18 Feb 2025, 11:15 UTC

The FormCraft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.9.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

CVE-2024-13783 ncrafts vulnerability CVSS: 0 18 Feb 2025, 11:15 UTC

The FormCraft plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in formcraft-main.php in all versions up to, and including, 3.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export all plugin data which may contain sensitive information from form submissions.

CVE-2023-2592 ncrafts vulnerability CVSS: 0 27 Jun 2023, 14:15 UTC

The FormCraft WordPress plugin before 3.9.7 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

CVE-2023-22717 ncrafts vulnerability CVSS: 0 15 May 2023, 12:15 UTC

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in nCrafts FormCraft plugin <= 1.2.6 versions.

CVE-2022-1647 ncrafts vulnerability CVSS: 3.5 08 Jun 2022, 10:15 UTC

The FormCraft WordPress plugin before 1.2.6 does not sanitise and escape Field Labels, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

CVE-2017-18600 ncrafts vulnerability CVSS: 3.5 10 Sep 2019, 12:15 UTC

The formcraft3 plugin before 3.4 for WordPress has stored XSS via the "New Form > Heading > Heading Text" field.

CVE-2019-15114 ncrafts vulnerability CVSS: 6.8 16 Aug 2019, 21:15 UTC

The formcraft-form-builder plugin before 1.2.2 for WordPress has CSRF.

CVE-2019-5920 ncrafts vulnerability CVSS: 6.8 12 Mar 2019, 22:29 UTC

Cross-site request forgery (CSRF) vulnerability in FormCraft 1.2.1 and earlier allows remote attackers to hijack the authentication of administrators via a specially crafted page.

CVE-2013-7187 ncrafts vulnerability CVSS: 7.5 20 Dec 2013, 23:55 UTC

SQL injection vulnerability in form.php in the FormCraft plugin 1.3.7 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.