Forminator Forms – Contact Form, Payment Form & Custom Form Builder (v1.53.1) is a multifunctional WordPress plugin that enables the creation of forms, polls, quizzes, payment forms, and lead-generation tools through a drag-and-drop interface. It integrates with payment gateways, CRMs, and third-party services, making it a high-impact component in the application security surface.
Built for websites running on WordPress, Forminator handles sensitive user data, payments, file uploads, and AJAX interactions — making security a critical requirement.
The plugin functionality includes payments (Stripe, PayPal), quizzes, surveys, integrations, and GDPR-ready data handling
| Name of | Forminator Forms – Contact Form, Payment Form & Custom Form Builder |
| Version | 1.53.1 |
| Active installations | 600,000+ |
| Description | Advanced form builder with secure payment handling, AJAX processing, and certified code integrity (PSC-2026-64643) |
| Security | Successfully tested for: SQL Injection (SQLi) Cross-Site Scripting (XSS) – Stored & Reflected Cross-Site Request Forgery (CSRF) Authentication Vulnerabilities Authentication Bypass Exploits Privilege Escalation Buffer Overflow Denial-of-Service (DoS) vectors Data Leakage Vulnerabilities Insecure Dependency Usage Remote Code Execution (RCE) Risks Unauthorized File Access Insufficient Injection Protection Information Disclosure via Misconfigured Endpoints |
| CleanTalk Certification | Proudly earned the “Plugin Security Certification” (PSC) from CleanTalk, indicating adherence to stringent security standards. |
| Additional Information | Teams can extend Elementor with the assurance of the “Plugin Security Certification” (PSC). As a best practice, restrict who can edit Elementor templates and global widgets, and treat any custom HTML/template-related fields as security-sensitive output. |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Key Features
- Drag-and-drop form builder
- Payment integration (Stripe, PayPal)
- Polls, quizzes, and calculators
- File upload support (single & multi-file)
- AJAX form submissions
- reCAPTCHA, hCaptcha, Cloudflare Turnstile
- CRM integrations (HubSpot, Mailchimp, etc.)
- Webhooks (Zapier, Make, etc.)
- GDPR-ready data collection
- Custom login & registration forms
- Frontend post submissions
Security Assurance
The CleanTalk Plugin Security Certification evaluation for Elementor addon suites focuses on attacker models that target stored configuration and rendered output. Typical abuse patterns include injecting JavaScript into widget settings, dynamic content fields, or template parameters that later render on public pages (stored XSS), forcing configuration changes via CSRF against administrators (enabling modules, changing template behavior, modifying global settings), and abusing weak capability checks to let lower-privileged roles access design and template controls they should not have. The review validates that state-changing actions are protected with nonce and CSRF defenses, that capability checks are enforced consistently at the handler level, and that values rendered into HTML and attribute contexts are output-encoded appropriately. It also considers leakage vectors via misconfigured endpoints and overly verbose diagnostics that could expose internal configuration metadata.
The plugin has been successfully tested for:
✅ Information Leakage Vulnerabilities
✅ SQL Injection Vulnerabilities
✅ Cross-Site Scripting (XSS) Attacks
✅ Cross-Site Request Forgery (CSRF) Attacks
✅ Authentication & Authentication Bypass Vulnerabilities
✅ Privilege Escalation Vulnerabilities
✅ Buffer Overflow Vulnerabilities
✅ Denial-of-Service (DoS) Vulnerabilities
✅ Data Leakage Vulnerabilities
✅ Insecure Dependencies
✅ Code Execution Vulnerabilities
✅ File Unauthorized Access Vulnerabilities
✅ Insufficient Injection Protection
Conclusion
Forminator is a powerful yet security-conscious form ecosystem plugin. Despite handling sensitive workflows (payments, uploads, integrations), it maintains strong security boundaries and predictable behavior.
The awarded PSC-2026-64645 confirms its suitability for production environments.
Note: The date and certification information may change over time. It is advisable to verify the latest details on the plugin developer’s website.