20 matches found
CVE-2024-31077
CVE-2024-31077 affects Forminator (WordPress plugin) prior to 1.29.3. The issue is an SQL Injection in the admin-facing form handling that can be triggered by an authenticated admin, enabling access/alteration of database data and potential DoS. Remediation is to upgrade Forminator to 1.29.3 or l...
CVE-2023-4596
CVE-2023-4596 — WordPress Forminator plugin Arbitrary File Upload Affected software: WordPress Forminator plugin (all environments using WordPress) up to version 1.24.6. Root cause: Vulnerability arises from file type validation occurring after a file has been uploaded in upload_post_image(), ena...
CVE-2024-28890
CVE-2024-28890 : Forminator (WordPress plugin) before 1.29.0 has an unrestricted file upload of dangerous types vulnerability. This could allow a remote attacker to access server files, modify the site, and potentially cause a DoS. Remediation: upgrade Forminator to version 1.29.0 or later (per R...
CVE-2025-6463
The CVE-2025-6463 affects the WordPress Forminator Forms plugin (Contact/Payment/Custom Form Builder) versioned up to and including 1.44.2. The vulnerability arises from insufficient validation in entry_delete_upload_files, allowing unauthenticated attackers to inject arbitrary file paths into a ...
CVE-2024-31857
Forminator (WordPress plugin) contains a cross-site scripting vulnerability (CVE-2024-31857) affecting versions prior to 1.15.4. An attacker could exploit this to obtain user information and alter page contents in a user’s browser. The Red Hat and Wordfence entries confirm the vulnerability in Fo...
CVE-2024-7389
The CVE-2024-7389 entry affects the WordPress Forminator plugin (versions
CVE-2021-36821
Summary of CVE-2021-36821 – WordPress Forminator stored XSS : The vulnerability affects the Forminator plugin for WordPress, with versions up to and including 1.14.11. The underlying issue is improper neutralization of input during web page generation, resulting in stored Cross-Site Scripting (XS...
CVE-2024-45625
CVE-2024-45625 affects Forminator Forms v1.34.0 and earlier. The issue is a cross-site scripting vulnerability (CWE-79) in the way URLs embedded in a Forminator form can cause arbitrary script execution in the user’s browser when a crafted URL is accessed. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI...
CVE-2024-1794
CVE-2024-1794 is a stored XSS flaw in WordPress Forminator up to version 1.29.0 via file uploads (e.g., 3gpp). Public docs confirm unauthenticated exploitation leading to script execution when served pages load injected content. Connected sources indicate the issue was addressed in later patches ...
CVE-2024-29777
CVE-2024-29777 is a reflected Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Forminator (WPMU DEV) up to version 1.29.0. The issue arises from improper input neutralization during web page generation. Affected: Forminator
CVE-2023-3134
The CVE-2023-3134 vulnerability affects the Forminator WordPress plugin and is a reflected XSS in which values are not properly escaped when echoed into form fields that use pre-populated query parameters. Affected product/version: Forminator WordPress plugin prior to 1.24.4. Impact is described ...
CVE-2024-3053
CVE-2024-3053 applies to the WordPress plugin Forminator – Contact Form, Payment Form & Custom Form Builder . The vulnerability is a Stored Cross-Site Scripting via the shortcodes’ forminator_form id attribute, affecting versions up to and including 1.29.2 due to insufficient input sanitization a...
CVE-2023-2010
The CVE-2023-2010 vulnerability affects the WordPress Forminator plugin versions prior to 1.24.1. The root cause is a lack of an atomic operation to verify whether a user has already voted before updating the vote status, resulting in a race condition that may allow a single user to vote multiple...
CVE-2019-9567
CVE-2019-9567 describes an XSS vulnerability in the WordPress Forminator Contact Form, Poll & Quiz Builder plugin prior to v1.6, caused by improper handling/encoding of a custom poll input field. Public records (NVD entry) state an XSS in the poll input field; some sources discuss persistent XSS ...
CVE-2021-24700
CVE-2021-24700 – Forminator WordPress plugin vulnerability : The WordPress Forminator plugin versions before 1.15.4 do not sanitize and escape the email field label, enabling stored Cross-Site Scripting (XSS) by high-privilege users. Affected software: Forminator Form plugin for WordPress; vulner...
CVE-2019-9568
Forminator Contrast: The WordPress plugin Forminator Contact Form, Poll & Quiz Builder is affected by an SQL Injection in versions before 1.6 via the entry[] parameter in the admin interface, if the attacker has delete permission. The root cause is a SQL query vulnerability in bulk delete logic f...
CVE-2021-4417
The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is affected by a Cross-Site Request Forgery in versions up to 1.13.4, caused by missing/incorrect nonce validation in listen_for_saving_export_schedule(). This can let unauthenticated attackers export form subm...
CVE-2023-5119
CVE-2023-5119 affects the Forminator WordPress plugin prior to 1.27.0. The issue stems from improper sanitization of the redirect-url field in form submission settings, enabling high-privilege users (e.g., admins) to inject arbitrary web scripts even when unfiltered_html is disallowed (multisite ...
CVE-2023-6133
Summary (CVE-2023-6133): The Forminator plugin for WordPress (affected:
CVE-2025-6464
The CVE concerns the WordPress Forminator Forms plugin (versions up to and including 1.44.2). It enables PHP Object Injection through deserialization of untrusted input in the entry_delete_upload_files function, triggered when a form submission is deleted (admin or auto-deletion). Exploitation re...