Description
The The Contact Form, Survey, Quiz & Popup Form Builder – ARForms plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Published: 2026-03-21
Score: 5.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary shortcode execution enables attackers to run any WordPress shortcode without authentication, potentially leading to code injection or content manipulation,
Action: Immediate Update
AI Analysis

Impact

The ARForms plugin for WordPress contains a flaw that allows unauthenticated users to pass arbitrary values to the do_shortcode function without proper validation. This weakens the plugin to code injection via WordPress shortcodes, classified as CWE‑94. An attacker can supply any shortcode, which may include functions that reveal sensitive data, modify the site’s content, or trigger additional malicious actions, thereby compromising the confidentiality, integrity, and availability of the affected website.

Affected Systems

This vulnerability affects all installations of the ARForms Contact Form, Survey, Quiz & Popup Form Builder plugin produced by reputeinfosystems that are running version 1.7.2 or older. The issue is present in all supported WordPress versions where the plugin is active.

Risk and Exploitability

The CVSS score of 5.6 indicates a moderate severity. Attackers can exploit the flaw remotely from any position on the internet since no authentication is required. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the nature of the flaw—unauthenticated arbitrary shortcode execution—suggests a relatively high likelihood of exploitation for attackers who discover the vulnerable endpoint. Mitigating the risk requires immediate patching or removal of the vulnerable plugin functionality.

Generated by OpenCVE AI on March 21, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ARForms plugin to the newest version (at least 1.7.3) as soon as possible.
  • If an immediate update is not feasible, disable the shortcode processing feature within the plugin or restrict access to the affected form endpoints.
  • Monitor server logs for suspicious shortcode usage and review content for unauthorized changes.

Generated by OpenCVE AI on March 21, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Reputeinfosystems
Reputeinfosystems contact Form, Survey, Quiz & Popup Form Builder – Arforms
Wordpress
Wordpress wordpress
Vendors & Products Reputeinfosystems
Reputeinfosystems contact Form, Survey, Quiz & Popup Form Builder – Arforms
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The The Contact Form, Survey, Quiz & Popup Form Builder – ARForms plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Title Contact Form, Survey, Quiz & Popup Form Builder – ARForms <= 1.7.2 - Unauthenticated Blind Arbitrary Shortcode Execution
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Reputeinfosystems Contact Form, Survey, Quiz & Popup Form Builder – Arforms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:48.804Z

Reserved: 2025-01-28T20:47:46.970Z

Link: CVE-2024-13785

cve-icon Vulnrichment

Updated: 2026-03-23T17:04:06.003Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:16:47.620

Modified: 2026-04-22T21:32:08.360

Link: CVE-2024-13785

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:41:57Z

Weaknesses