Vulnerabilities and security researches forforminator forminator
Direction: ascendingForminator – Contact Form, Payment Form & Custom Form Builder # CVE-2021-24700
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Nov 24, 2021
- Research Description
- The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2019-9567
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Mar 04, 2019
- Research Description
- The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a poll.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2021-36821
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Mar 16, 2023
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV Forminator – Contact Form, Payment Form & Custom Form Builder allows Stored XSS.This issue affects Forminator – Contact Form, Payment Form & Custom Form Builder: from n/a through 1.14.11.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2019-9568
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Mar 04, 2019
- Research Description
- The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/admin.php?page=forminator-entries entry[] parameter if the attacker has the delete permission.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2021-4342
- CVE, Research URL
-
-
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Jun 07, 2023
- Research Description
- Rejected reason: CVE split into individual CVE IDs for each software record.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2023-4596
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Aug 30, 2023
- Research Description
- The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2023-5119
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Nov 21, 2023
- Research Description
- The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2021-4417
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Jul 12, 2023
- Research Description
- The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.13.4. This is due to missing or incorrect nonce validation on the listen_for_saving_export_schedule() function. This makes it possible for unauthenticated attackers to export form submissions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2023-3134
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Jul 31, 2023
- Research Description
- The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2023-6133
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Nov 15, 2023
- Research Description
- The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. This makes it possible for authenticated attackers with administrator-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2023-2010
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Jul 04, 2023
- Research Description
- The Forminator WordPress plugin before 1.24.1 does not use an atomic operation to check whether a user has already voted, and then update that information. This leads to a Race Condition that may allow a single user to vote multiple times on a poll.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2024-3053
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Apr 10, 2024
- Research Description
- The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ forminator_form shortcode attribute in versions up to, and including, 1.29.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2024-31857
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Apr 23, 2024
- Research Description
- Forminator prior to 1.15.4 contains a cross-site scripting vulnerability. If this vulnerability is exploited, a remote attacker may obtain user information etc. and alter the page contents on the user's web browser.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2024-28890
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Apr 23, 2024
- Research Description
- Forminator prior to 1.29.0 contains an unrestricted upload of file with dangerous type vulnerability. If this vulnerability is exploited, a remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2024-29777
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Mar 27, 2024
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV Forminator allows Reflected XSS.This issue affects Forminator: from n/a through 1.29.0.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2024-1794
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Apr 10, 2024
- Research Description
- The Forminator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. 3gpp file) in all versions up to, and including, 1.29.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2024-31077
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Apr 23, 2024
- Research Description
- Forminator prior to 1.29.3 contains a SQL injection vulnerability. If this vulnerability is exploited, a remote authenticated attacker with an administrative privilege may obtain and alter any information in the database and cause a denial-of-service (DoS) condition.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2024-7389
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Aug 02, 2024
- Research Description
- The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.29.1 via class-forminator-addon-hubspot-wp-api.php. This makes it possible for unauthenticated attackers to extract the HubSpot integration developer API key and make unauthorized changes to the plugin's HubSpot integration or expose personally identifiable information from plugin users using the HubSpot integration.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2024-45625
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Sep 09, 2024
- Research Description
- Cross-site scripting vulnerability exists in Forminator versions prior to 1.34.1. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who follows a crafted URL and accesses the webpage with the web form created by Forminator.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2024-9351
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Oct 17, 2024
- Research Description
- The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. This is due to missing or incorrect nonce validation on the quiz 'create_module' function. This makes it possible for unauthenticated attackers to create draft quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2024-9352
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Oct 17, 2024
- Research Description
- The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. This is due to missing or incorrect nonce validation on the custom form 'create_module' function. This makes it possible for unauthenticated attackers to create draft forms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2024-10402
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Oct 26, 2024
- Research Description
- The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.35.1. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to create new or edit existing forms, including updating the default registration role to Administrator on User Registration forms.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2024-9700
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Oct 31, 2024
- Research Description
- The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.36.0 via the submit_quizzes() function due to missing validation on the 'entry_id' user controlled key. This makes it possible for unauthenticated attackers to modify other user's quiz submissions.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2025-0470
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Jan 31, 2025
- Research Description
- The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the title parameter in all versions up to, and including, 1.38.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2025-0469
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Feb 27, 2025
- Research Description
- The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slider template data in all versions up to, and including, 1.39.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2025-3479
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Apr 17, 2025
- Research Description
- The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 1.42.0 via the 'handle_stripe_single' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Forminator – Contact Form, Payment Form & Custom Form Builder # CVE-2025-3487
- CVE, Research URL
- Home page URL
-
Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder
- Date
- Apr 17, 2025
- Research Description
- The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘limit’ parameter in all versions up to, and including, 1.42.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable