cleantalk
Vulnerabilities and Security Researches

Forminator – Contact Form, Payment Form & Custom Form Builder, CVE-2026-2729

CVE, Research URL

CVE-2026-2729

Home page URL

Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder

Application

Forminator – Contact Form, Payment Form & Custom Form Builder

Published on
May 05, 2026
Research Description
The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. This makes it possible for unauthenticated attackers to submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent, resulting in underpayment/payment bypass conditions.
Affected versions
max 1.52.1.
Status
vulnerable
Previous vulnerability researches
ElementsKit Elementor addons (CVE-2024-8546) , Sep 25, 2024
ElementsKit Elementor addons (CVE-2024-11180) , Mar 31, 2025
ElementsKit Elementor addons (CVE-2024-37255) , Jul 01, 2024
ElementsKit Elementor addons (CVE-2024-10091) , Oct 26, 2024
ElementsKit Elementor addons , Dec 27, 2024
New vulnerability
Event Tickets and Registration (CVE-2026-42662) , May 05, 2026
Forminator – Contact Form, Payment Form & Custom Form Builder (CVE-2026-2729) , May 05, 2026
Forminator – Contact Form, Payment Form & Custom Form Builder (CVE-2026-5192) , May 05, 2026
ElementsKit Elementor addons (CVE-2026-4362) , May 05, 2026
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions (CVE-2026-4100) , May 04, 2026