Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

Forminator Forms – Contact Form, Payment Form & Custom Form Builder — Vulnerabilities & Security Advisories 24

All 24 CVE vulnerabilities found in Forminator Forms – Contact Form, Payment Form & Custom Form Builder, with AI-generated Chinese analysis, references, and POCs.

This page aggregates known security vulnerabilities and weakness classifications for the Forminator Forms product, a popular WordPress plugin for creating contact, payment, and custom forms. The content specifically addresses flaws related to cross-site scripting, privilege escalation, and injection attacks within the context of this widely used form builder solution. The vulnerabilities collected on this page span from the plugin’s initial releases up to the most recent disclosures, providing a comprehensive historical record of security issues. This timeframe includes both critical flaws that allow remote code execution and lower-severity issues affecting data integrity or user access controls. By consolidating these entries, the page offers a unified view of the product’s security posture over time, helping developers and site administrators understand the evolution of risks associated with this specific toolset. Readers can utilize this resource to track the vendor’s security advisory history and assess how quickly the development team responds to reported issues. It also serves as a reference for understanding specific weakness classes, such as improper input validation or insecure direct object references, as they manifest in form handling contexts. Additionally, users can look up the complete vulnerability history of Forminator Forms to evaluate the reliability of the plugin for their projects. This structured approach to vulnerability data enables informed decision-making regarding updates, patches, and alternative solutions, ensuring that stakeholders remain aware of potential threats and the effectiveness of past mitigation efforts without relying on isolated or outdated reports.

Vendor: wpmudev

CVE IDTitleCVSSSeverityPublished
CVE-2026-6214 Forminator Forms <= 1.53.0 - Missing Authorization to Authenticated (Subscriber+) Scheduled Form Submission Export via forminator_export_entries Action on wp_loaded Hook CWE-862 6.5 Medium2026-05-07
CVE-2026-6222 Forminator Forms <= 1.51.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'forminator_action' Parameter CWE-862 5.3 Medium2026-05-07
CVE-2026-5192 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.52.1 - Unauthenticated Arbitrary File Read via 'upload-1[file][file_path]' CWE-22 7.5 High2026-05-05
CVE-2026-2729 Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.52.0 - Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass via 'paymentid' Parameter CWE-639 5.3 Medium2026-05-05
CVE-2026-2002 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.50.2 - Authenticated (Administrator+) Stored Cross-Site Scripting CWE-79 4.4 Medium2026-02-17
CVE-2025-14782 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.49.1 - Missing Authorization to Authenticated (Forminator User+) CSV Export CWE-862 5.3 Medium2026-01-09
CVE-2025-7638 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.45.0 - Authenticated (Administrator+) SQL Injection via `order_by` Parameter CWE-89 4.9 Medium2025-07-18
CVE-2025-6464 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated PHP Object Injection (PHAR) Triggered via Administrator Form Submission Deletion CWE-502 7.5 High2025-07-02
CVE-2025-6463 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion CWE-73 8.8 High2025-07-02
CVE-2025-5341 Forminator <= 1.44.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via id and data-size Parameters CWE-79 6.4 Medium2025-06-05
CVE-2025-3479 Forminator <= 1.42.0 - Order Replay Vulnerability CWE-354 5.3 Medium2025-04-17
CVE-2025-3487 Forminator <= 1.42.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'limit' CWE-79 6.4 Medium2025-04-17
CVE-2025-0469 Forminator <= 1.39.2 - Authenticated (Contributor+) Stored Cross-Site Scripting CWE-79 6.4 Medium2025-02-27
CVE-2025-0470 Forminator <= 1.38.2 - Reflected Cross-Site Scripting via Title Parameter CWE-79 6.1 Medium2025-01-31
CVE-2024-9700 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.36.0 - Insecure Direct Object Reference to Submission Manipulation CWE-639 5.3 Medium2024-10-31
CVE-2024-10402 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 - Missing Authorization to Authenticated (Contributor+) Form Update and Creation CWE-862 7.5 High2024-10-26
CVE-2024-9351 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 - Cross-Site Request Forgery to Draft Quiz Creation CWE-352 4.3 Medium2024-10-17
CVE-2024-9352 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 - Cross-Site Request Forgery to Draft Custom Form Creation CWE-352 4.3 Medium2024-10-17
CVE-2024-7389 Forminator <= 1.29.1 - HubSpot Developer API Key Sensitive Information Exposure CWE-522 7.5 High2024-08-02
CVE-2024-1794 Forminator <= 1.29.0 - Unauthenticated Stored Cross-Site Scripting via File Upload CWE-79 7.2 High2024-04-09
CVE-2024-3053 Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.29.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via forminator_form Shortcode CWE-79 6.4 Medium2024-04-09
CVE-2023-6133 Forminator <= 1.27.0 - Authenticated (Administrator+) Arbitrary File Upload CWE-434 6.6 Medium2023-11-15
CVE-2023-4596 Forminator <= 1.24.6 - Unauthenticated Arbitrary File Upload CWE-434 9.8 Critical2023-08-30
CVE-2021-4417 Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.13.4 - Cross-Site Request Forgery Bypass CWE-352 5.4 Medium2023-07-12

All 24 known CVE vulnerabilities affecting Forminator Forms – Contact Form, Payment Form & Custom Form Builder with full Chinese analysis, references, and POCs where available.