Incsub Forminator
By the Year
In 2024 there have been 0 vulnerabilities in Incsub Forminator . Last year Forminator had 8 security vulnerabilities published. Right now, Forminator is on track to have less security vulnerabilities in 2024 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 8 | 5.59 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 4.80 |
| 2020 | 0 | 0.00 |
| 2019 | 2 | 6.30 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Forminator vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Incsub Forminator Security Vulnerabilities
The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission settings, which could
CVE-2023-5119
4.8 - Medium
- November 20, 2023
The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).
XSS
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_
CVE-2023-6133
4.9 - Medium
- November 15, 2023
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. This makes it possible for authenticated attackers with administrator-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed.
Unrestricted File Upload
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to
CVE-2023-4596
9.8 - Critical
- August 30, 2023
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Unrestricted File Upload
The Forminator WordPress plugin before 1.24.4 does not properly escape values
CVE-2023-3134
6.1 - Medium
- July 31, 2023
The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks.
XSS
The Forminator Contact Form
CVE-2021-4417
4.3 - Medium
- July 12, 2023
The Forminator Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.13.4. This is due to missing or incorrect nonce validation on the listen_for_saving_export_schedule() function. This makes it possible for unauthenticated attackers to export form submissions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Session Riding
The Forminator WordPress plugin before 1.24.1 does not use an atomic operation to check whether a user has already voted, and then update
CVE-2023-2010
3.1 - Low
- July 04, 2023
The Forminator WordPress plugin before 1.24.1 does not use an atomic operation to check whether a user has already voted, and then update that information. This leads to a Race Condition that may allow a single user to vote multiple times on a poll.
Race Condition
** REJECT ** CVE split into individual CVE IDs for each software record.
CVE-2021-4342
- June 07, 2023
** REJECT ** CVE split into individual CVE IDs for each software record.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV Forminator Contact Form, Payment Form & Custom Form Builder
CVE-2021-36821
6.1 - Medium
- March 16, 2023
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV Forminator Contact Form, Payment Form & Custom Form Builder allows Stored XSS.This issue affects Forminator Contact Form, Payment Form & Custom Form Builder: from n/a through 1.14.11.
XSS
The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could
CVE-2021-24700
4.8 - Medium
- November 23, 2021
The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
XSS
The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection
CVE-2019-9568
6.5 - Medium
- March 04, 2019
The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/admin.php?page=forminator-entries entry[] parameter if the attacker has the delete permission.
SQL Injection
The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS
CVE-2019-9567
6.1 - Medium
- March 04, 2019
The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a poll.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Incsub Forminator or by Incsub? Click the Watch button to subscribe.
