cleantalk
Vulnerabilities and Security Researches

Forminator – Contact Form, Payment Form & Custom Form Builder, CVE-2025-5341

CVE, Research URL

CVE-2025-5341

Home page URL

Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder

Application

Forminator – Contact Form, Payment Form & Custom Form Builder

Published on
Jun 05, 2025
Research Description
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id' and 'data-size’ parameters in all versions up to, and including, 1.44.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 1.44.2.
Status
vulnerable
Previous vulnerability researches
Spiffy Calendar (CVE-2024-38692) , Jul 13, 2024
Spiffy Calendar (CVE-2017-9420) , Jun 07, 2024
Spiffy Calendar (CVE-2022-29434) , Jun 07, 2024
Spiffy Calendar (CVE-2022-46859) , Jun 07, 2024
Spiffy Calendar (CVE-2023-49745) , Jun 07, 2024
New vulnerability
WP Tools Increase Maximum Limits, Repair, Server PHP Info, Javascript errors, File Permissions, Transients, Error Log (CVE-2025-49273) , Jun 15, 2025
Widgetize Pages Light (CVE-2025-30995) , Jun 15, 2025
Zotpress (CVE-2025-4666) , Jun 15, 2025
افزونه پیامک ووکامرس Persian WooCommerce SMS (CVE-2025-49315) , Jun 15, 2025
Raychat (CVE-2025-49236) , Jun 15, 2025