cleantalk
Vulnerabilities and Security Researches

Forminator – Contact Form, Payment Form & Custom Form Builder, CVE-2024-3053

CVE, Research URL

CVE-2024-3053

Home page URL

Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder

Application

Forminator – Contact Form, Payment Form & Custom Form Builder

Published on
Apr 10, 2024
Research Description
The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ forminator_form shortcode attribute in versions up to, and including, 1.29.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 1.29.3.
Status
vulnerable
Previous vulnerability researches
GSheetConnector for Forminator Forms (CVE-2025-22752) , Jan 17, 2025
Forminator – Contact Form, Payment Form & Custom Form Builder (CVE-2024-45625) , Sep 10, 2024
Forminator – Contact Form, Payment Form & Custom Form Builder (CVE-2024-9351) , Oct 17, 2024
Forminator – Contact Form, Payment Form & Custom Form Builder (CVE-2024-9352) , Oct 17, 2024
Forminator – Contact Form, Payment Form & Custom Form Builder (CVE-2024-9700) , Oct 31, 2024
New vulnerability
WordPress Job Board and Recruitment Plugin – JobWP (CVE-2025-2010) , Apr 20, 2025
WP Logger (CVE-2025-39456) , Apr 20, 2025
visualslider Sldier (CVE-2025-23448) , Apr 20, 2025
RSS Manager (CVE-2025-39418) , Apr 20, 2025
Contact Form vCard Generator (CVE-2025-39521) , Apr 20, 2025