Forminator
WPMU DEV - Your All-in-One WordPress Platform
Developer
1.48.2
Latest version
600,000
Installations
Oct 20, 2025
Last updated
Vulnerability history
0 present
27 fixed
6 Mitigation rules
- Authenticated (Administrator+) SQL Injection via `order_by` Parameter vulnerability<= 1.45.0Jul 18, 2025
- Unauthenticated PHP Object Injection (PHAR) Triggered via Administrator Form Submission Deletion vulnerability<= 1.44.2Jul 1, 2025
- Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion vulnerability<= 1.44.2Jul 1, 2025
- Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via id and data-size Parameters vulnerability<= 1.44.1Jun 5, 2025
- Order Replay vulnerability<= 1.42.0Apr 17, 2025
- Authenticated (Contributor+) Stored Cross-Site Scripting via 'limit' vulnerability<= 1.42.0Apr 17, 2025
- Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability1.39.2Feb 26, 2025
- Admin+ Stored XSS vulnerability< 1.38.3Feb 14, 2025
- Reflected Cross-Site Scripting via Title Parameter vulnerability<= 1.38.2Jan 30, 2025
- Insecure Direct Object Reference to Submission Manipulation vulnerability<= 1.36.0Oct 31, 2024
- Missing Authorization to Authenticated Form Update and Creation vulnerability<= 1.35.1Oct 28, 2024
- Cross-Site Request Forgery to Draft Custom Form Creation vulnerability<= 1.35.1Oct 16, 2024
- Cross-Site Request Forgery to Draft Quiz Creation vulnerability<= 1.35.1Oct 16, 2024
- HubSpot Developer API Key Sensitive Information Exposure vulnerability<= 1.29.1Aug 2, 2024
- Authenticated (Contributor+) Stored Cross-Site Scripting via forminator_form Shortcode vulnerability<= 1.29.2Apr 9, 2024
- Unauthenticated Stored Cross-Site Scripting via File Upload vulnerability<= 1.29.0Apr 1, 2024
- Reflected Cross Site Scripting (XSS) vulnerability<= 1.29.0Mar 25, 2024
- Authenticated (Administrator+) Arbitrary File Upload vulnerability<= 1.27.0Nov 15, 2023
- Unauthenticated Arbitrary File Upload vulnerability<= 1.24.6Aug 29, 2023
- Unauth. Race Condition vulnerability< 1.24.1Jul 4, 2023
- Multiple Missing Authorization vulnerability<= 1.22.1Apr 13, 2023
- Stored Cross-Site Scripting (XSS) vulnerability<= 1.15.2Oct 20, 2021
- Stored Cross-Site Scripting (XSS) vulnerability<= 1.14.11Jul 14, 2021
- Cross-Site Request Forgery (CSRF) vulnerability<= 1.14.8Mar 1, 2021
- Cross-Site Request Forgery (CSRF) vulnerability<= 1.13.4Sep 16, 2020
- Unauthenticated Persistent Cross-Site Scripting (XSS) vulnerability<= 1.5.4Feb 6, 2019
- Authenticated Blind SQL Injection (SQLi) vulnerability<= 1.5.4Feb 6, 2019