Forminator Forms – Contact Form, Payment Form & Custom Form Builder (v1.53.1) is a multifunctional WordPress plugin that enables the creation of forms, polls, quizzes, payment forms, and lead-generation tools through a drag-and-drop interface. It integrates with payment gateways, CRMs, and third-party services, making it a high-impact component in the application security surface.

Built for websites running on WordPress, Forminator handles sensitive user data, payments, file uploads, and AJAX interactions — making security a critical requirement.

The plugin functionality includes payments (Stripe, PayPal), quizzes, surveys, integrations, and GDPR-ready data handling

Name of Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Version1.53.1
Active installations600,000+
DescriptionAdvanced form builder with secure payment handling, AJAX processing, and certified code integrity (PSC-2026-64643)
SecuritySuccessfully tested for:
SQL Injection (SQLi)
Cross-Site Scripting (XSS) – Stored & Reflected
Cross-Site Request Forgery (CSRF)
Authentication Vulnerabilities
Authentication Bypass Exploits
Privilege Escalation
Buffer Overflow
Denial-of-Service (DoS) vectors
Data Leakage Vulnerabilities
Insecure Dependency Usage
Remote Code Execution (RCE) Risks
Unauthorized File Access
Insufficient Injection Protection
Information Disclosure via Misconfigured Endpoints
CleanTalk CertificationProudly earned the “Plugin Security Certification” (PSC) from CleanTalk, indicating adherence to stringent security standards.
Additional InformationTeams can extend Elementor with the assurance of the “Plugin Security Certification” (PSC). As a best practice, restrict who can edit Elementor templates and global widgets, and treat any custom HTML/template-related fields as security-sensitive output.
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

PSC by Cleantalk

Key Features

  • Drag-and-drop form builder
  • Payment integration (Stripe, PayPal)
  • Polls, quizzes, and calculators
  • File upload support (single & multi-file)
  • AJAX form submissions
  • reCAPTCHA, hCaptcha, Cloudflare Turnstile
  • CRM integrations (HubSpot, Mailchimp, etc.)
  • Webhooks (Zapier, Make, etc.)
  • GDPR-ready data collection
  • Custom login & registration forms
  • Frontend post submissions

Security Assurance

The CleanTalk Plugin Security Certification evaluation for Elementor addon suites focuses on attacker models that target stored configuration and rendered output. Typical abuse patterns include injecting JavaScript into widget settings, dynamic content fields, or template parameters that later render on public pages (stored XSS), forcing configuration changes via CSRF against administrators (enabling modules, changing template behavior, modifying global settings), and abusing weak capability checks to let lower-privileged roles access design and template controls they should not have. The review validates that state-changing actions are protected with nonce and CSRF defenses, that capability checks are enforced consistently at the handler level, and that values rendered into HTML and attribute contexts are output-encoded appropriately. It also considers leakage vectors via misconfigured endpoints and overly verbose diagnostics that could expose internal configuration metadata.

The plugin has been successfully tested for:

✅ Information Leakage Vulnerabilities

✅ SQL Injection Vulnerabilities

✅ Cross-Site Scripting (XSS) Attacks

✅ Cross-Site Request Forgery (CSRF) Attacks

✅ Authentication & Authentication Bypass Vulnerabilities

✅ Privilege Escalation Vulnerabilities

✅ Buffer Overflow Vulnerabilities

✅ Denial-of-Service (DoS) Vulnerabilities

✅ Data Leakage Vulnerabilities

✅ Insecure Dependencies

✅ Code Execution Vulnerabilities

✅ File Unauthorized Access Vulnerabilities

✅ Insufficient Injection Protection

Conclusion

Forminator is a powerful yet security-conscious form ecosystem plugin. Despite handling sensitive workflows (payments, uploads, integrations), it maintains strong security boundaries and predictable behavior.

The awarded PSC-2026-64645 confirms its suitability for production environments.

Note: The date and certification information may change over time. It is advisable to verify the latest details on the plugin developer’s website.

Plugin Security Certification (PSC-2026-64645): “Forminator Forms – Contact Form, Payment Form & Custom Form Builder” – Version 8.6.0

Artyom Krugov

Cybersecurity Specialist with 4 years of hands-on experience in web application and WordPress security. Holder of the OSCP+ certification and author of 80+ publicly disclosed CVEs affecting WordPress plugins and themes. Specialized in vulnerability research, penetration testing, website incident response, malware removal, and security hardening of production environments. Experienced in identifying and validating high-impact vulnerabilities in WordPress plugins, themes, and custom web applications, as well as providing practical remediation guidance to improve overall security posture. Strong background in web application security, source code review, vulnerability assessment, exploit validation, and post-compromise recovery of infected websites.

Visit Author's Website

See all posts by krugov-artyom

Leave a Reply

Your email address will not be published. Required fields are marked *