Incsub Forminator

PHP Object Injection via entry_delete_upload_files in Forminator Forms <=1.44.2
CVE-2025-6464 7.5 - High - July 02, 2025

The Forminator Forms Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.44.2 via deserialization of untrusted input in the 'entry_delete_upload_files' function. This makes it possible for unauthenticated attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Deserialization occurs when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings.

Marshaling, Unmarshaling

Forminator <1.44.2 Inf File Delete via entry_delete_upload_files
CVE-2025-6463 8.8 - High - July 02, 2025

The Forminator Forms Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. This can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

External Control of File Name or Path

Forminator WP Plugin <1.34.1 XSS via Crafted URL
CVE-2024-45625 6.1 - Medium - September 09, 2024

Cross-site scripting vulnerability exists in Forminator versions prior to 1.34.1. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who follows a crafted URL and accesses the webpage with the web form created by Forminator.

XSS

Forminator WP Plugin <=1.29.1 Sensitive Info Exposure via HubSpot API Key
CVE-2024-7389 7.5 - High - August 02, 2024

The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.29.1 via class-forminator-addon-hubspot-wp-api.php. This makes it possible for unauthenticated attackers to extract the HubSpot integration developer API key and make unauthorized changes to the plugin's HubSpot integration or expose personally identifiable information from plugin users using the HubSpot integration.

Insufficiently Protected Credentials

Forminator <1.29.0: Unrestricted File Upload via Form Upload Field
CVE-2024-28890 - April 23, 2024

Forminator prior to 1.29.0 contains an unrestricted upload of file with dangerous type vulnerability. If this vulnerability is exploited, a remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition.

Forminator SQLi before 1.29.3 allows admin to alter DB & cause DoS
CVE-2024-31077 - April 23, 2024

Forminator prior to 1.29.3 contains a SQL injection vulnerability. If this vulnerability is exploited, a remote authenticated attacker with an administrative privilege may obtain and alter any information in the database and cause a denial-of-service (DoS) condition.

Forminator <1.15.4 XSS via Widget Component
CVE-2024-31857 - April 23, 2024

Forminator prior to 1.15.4 contains a cross-site scripting vulnerability. If this vulnerability is exploited, a remote attacker may obtain user information etc. and alter the page contents on the user's web browser.

Forminator Plugin 1.29.2 Stored XSS via forminator_form id
CVE-2024-3053 5.4 - Medium - April 09, 2024

The Forminator Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the id forminator_form shortcode attribute in versions up to, and including, 1.29.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

WordPress Forminator <=1.29.0 XSS via Unsanitized Upload
CVE-2024-1794 6.1 - Medium - April 09, 2024

The Forminator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. 3gpp file) in all versions up to, and including, 1.29.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

WPMU DEV Forminator <1.29.0 Reflected XSS Vulnerability
CVE-2024-29777 6.1 - Medium - March 27, 2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV Forminator allows Reflected XSS.This issue affects Forminator: from n/a through 1.29.0.

XSS

Forminator WP Plugin <1.27.0 Remote Script via Unsanitized redirect-url
CVE-2023-5119 4.8 - Medium - November 20, 2023

The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).

XSS

Arbitrary File Upload via formallowed_mime_types in Forminator 1.27.0
CVE-2023-6133 4.9 - Medium - November 15, 2023

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. This makes it possible for authenticated attackers with administrator-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed.

Unrestricted File Upload

Forminator WP Plugin 1.24.6 Arbitrary File Upload via upload_post_image()
CVE-2023-4596 9.8 - Critical - August 30, 2023

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Unrestricted File Upload

Reflected XSS via unescaped query params in Forminator <1.24.4
CVE-2023-3134 6.1 - Medium - July 31, 2023

The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks.

XSS

Forminator 1.13.4 XSRF export form submissions vulnerability
CVE-2021-4417 4.3 - Medium - July 12, 2023

The Forminator Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.13.4. This is due to missing or incorrect nonce validation on the listen_for_saving_export_schedule() function. This makes it possible for unauthenticated attackers to export form submissions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Session Riding

Race Condition in Forminator WP Plugin (<1.24.1) Allows Multiple Votes
CVE-2023-2010 3.1 - Low - July 04, 2023

The Forminator WordPress plugin before 1.24.1 does not use an atomic operation to check whether a user has already voted, and then update that information. This leads to a Race Condition that may allow a single user to vote multiple times on a poll.

Race Condition

Common Vulnerability in unspecified software (CVE-2021-4342)
CVE-2021-4342 - June 07, 2023

** REJECT ** CVE split into individual CVE IDs for each software record.

Forminator 1.14.11 Stored XSS via Input Neutralization Issue
CVE-2021-36821 6.1 - Medium - March 16, 2023

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPMU DEV Forminator allows Stored XSS.This issue affects Forminator: from n/a through 1.14.11.

XSS

The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could
CVE-2021-24700 4.8 - Medium - November 23, 2021

The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed

XSS

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS
CVE-2019-9567 - March 04, 2019

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a poll.

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection
CVE-2019-9568 - March 04, 2019

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/admin.php?page=forminator-entries entry[] parameter if the attacker has the delete permission.