Forminator

WPMU DEV - Your All-in-One WordPress Platform

Developer

1.50.3

Latest version

600,000

Installations

No date

Last updated

WordPress Plugin

Active VDP

Report vulnerability

Vulnerabilities

Security Policy

Security Contributors

Vulnerability history

0 present

29 fixed

6 Mitigation rules

WordPress Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin <= 1.50.2 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
<= 1.50.2
21 hours ago
Missing Authorization to Authenticated (Forminator User+) CSV Export vulnerability
<= 1.49.1
Jan 8, 2026
Authenticated (Administrator+) SQL Injection via `order_by` Parameter vulnerability
<= 1.45.0
Jul 18, 2025
Unauthenticated PHP Object Injection (PHAR) Triggered via Administrator Form Submission Deletion vulnerability
<= 1.44.2
Jul 1, 2025
Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion vulnerability
<= 1.44.2
Jul 1, 2025
Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via id and data-size Parameters vulnerability
<= 1.44.1
Jun 5, 2025
Order Replay vulnerability
<= 1.42.0
Apr 17, 2025
Authenticated (Contributor+) Stored Cross-Site Scripting via 'limit' vulnerability
<= 1.42.0
Apr 17, 2025
Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
1.39.2
Feb 26, 2025
Admin+ Stored XSS vulnerability
< 1.38.3
Feb 14, 2025
Reflected Cross-Site Scripting via Title Parameter vulnerability
<= 1.38.2
Jan 30, 2025
Insecure Direct Object Reference to Submission Manipulation vulnerability
<= 1.36.0
Oct 31, 2024
Missing Authorization to Authenticated Form Update and Creation vulnerability
<= 1.35.1
Oct 28, 2024
Cross-Site Request Forgery to Draft Custom Form Creation vulnerability
<= 1.35.1
Oct 16, 2024
Cross-Site Request Forgery to Draft Quiz Creation vulnerability
<= 1.35.1
Oct 16, 2024
HubSpot Developer API Key Sensitive Information Exposure vulnerability
<= 1.29.1
Aug 2, 2024
Authenticated (Contributor+) Stored Cross-Site Scripting via forminator_form Shortcode vulnerability
<= 1.29.2
Apr 9, 2024
Unauthenticated Stored Cross-Site Scripting via File Upload vulnerability
<= 1.29.0
Apr 1, 2024
Reflected Cross Site Scripting (XSS) vulnerability
<= 1.29.0
Mar 25, 2024
Authenticated (Administrator+) Arbitrary File Upload vulnerability
<= 1.27.0
Nov 15, 2023
Unauthenticated Arbitrary File Upload vulnerability
<= 1.24.6
Aug 29, 2023
Unauth. Race Condition vulnerability
< 1.24.1
Jul 4, 2023
Multiple Missing Authorization vulnerability
<= 1.22.1
Apr 13, 2023
Stored Cross-Site Scripting (XSS) vulnerability
<= 1.15.2
Oct 20, 2021
Stored Cross-Site Scripting (XSS) vulnerability
<= 1.14.11
Jul 14, 2021
Cross-Site Request Forgery (CSRF) vulnerability
<= 1.14.8
Mar 1, 2021
Cross-Site Request Forgery (CSRF) vulnerability
<= 1.13.4
Sep 16, 2020
Unauthenticated Persistent Cross-Site Scripting (XSS) vulnerability
<= 1.5.4
Feb 6, 2019
Authenticated Blind SQL Injection (SQLi) vulnerability
<= 1.5.4
Feb 6, 2019