Forminator

WPMU DEV - Your All-in-One WordPress Platform

Developer

1.52.0

Latest version

600,000

Installations

No date

Last updated

WordPress Plugin

Active VDP

Report vulnerability

Vulnerabilities

Security Policy

Security Contributors

Vulnerability history

0 present

30 patched

6 Mitigation rules

Broken Access Control vulnerability
<= 1.50.2
22/02/2026
WordPress Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin <= 1.50.2 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
<= 1.50.2
16/02/2026
Missing Authorization to Authenticated (Forminator User+) CSV Export vulnerability
<= 1.49.1
08/01/2026
Authenticated (Administrator+) SQL Injection via `order_by` Parameter vulnerability
<= 1.45.0
18/07/2025
Unauthenticated PHP Object Injection (PHAR) Triggered via Administrator Form Submission Deletion vulnerability
<= 1.44.2
01/07/2025
Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion vulnerability
<= 1.44.2
01/07/2025
Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via id and data-size Parameters vulnerability
<= 1.44.1
05/06/2025
Order Replay vulnerability
<= 1.42.0
17/04/2025
Authenticated (Contributor+) Stored Cross-Site Scripting via 'limit' vulnerability
<= 1.42.0
17/04/2025
Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
1.39.2
26/02/2025
Admin+ Stored XSS vulnerability
< 1.38.3
14/02/2025
Reflected Cross-Site Scripting via Title Parameter vulnerability
<= 1.38.2
30/01/2025
Insecure Direct Object Reference to Submission Manipulation vulnerability
<= 1.36.0
31/10/2024
Missing Authorization to Authenticated Form Update and Creation vulnerability
<= 1.35.1
28/10/2024
Cross-Site Request Forgery to Draft Custom Form Creation vulnerability
<= 1.35.1
16/10/2024
Cross-Site Request Forgery to Draft Quiz Creation vulnerability
<= 1.35.1
16/10/2024
HubSpot Developer API Key Sensitive Information Exposure vulnerability
<= 1.29.1
02/08/2024
Authenticated (Contributor+) Stored Cross-Site Scripting via forminator_form Shortcode vulnerability
<= 1.29.2
09/04/2024
Unauthenticated Stored Cross-Site Scripting via File Upload vulnerability
<= 1.29.0
01/04/2024
Reflected Cross Site Scripting (XSS) vulnerability
<= 1.29.0
25/03/2024
Authenticated (Administrator+) Arbitrary File Upload vulnerability
<= 1.27.0
15/11/2023
Unauthenticated Arbitrary File Upload vulnerability
<= 1.24.6
29/08/2023
Unauth. Race Condition vulnerability
< 1.24.1
04/07/2023
Multiple Missing Authorization vulnerability
<= 1.22.1
13/04/2023
Stored Cross-Site Scripting (XSS) vulnerability
<= 1.15.2
20/10/2021
Stored Cross-Site Scripting (XSS) vulnerability
<= 1.14.11
14/07/2021
Cross-Site Request Forgery (CSRF) vulnerability
<= 1.14.8
01/03/2021
Cross-Site Request Forgery (CSRF) vulnerability
<= 1.13.4
16/09/2020
Unauthenticated Persistent Cross-Site Scripting (XSS) vulnerability
<= 1.5.4
06/02/2019
Authenticated Blind SQL Injection (SQLi) vulnerability
<= 1.5.4
06/02/2019