Forminator
by WordPress
Source repositories
CVEs (31)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-9352 | 0.00 | — | 0.00 | Oct 17, 2024 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. This is due to missing or incorrect nonce validation on the custom form 'create_module'… | |||
| CVE-2024-45625 | 0.00 | — | 0.00 | Sep 9, 2024 | Cross-site scripting vulnerability exists in Forminator versions prior to 1.34.1. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who follows a crafted URL and accesses the webpage with the web form created by Forminator. | |||
| CVE-2024-7389 | 0.00 | — | 0.01 | Aug 2, 2024 | The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.29.1 via class-forminator-addon-hubspot-wp-api.php. This makes it possible for unauthenticated attackers to extract the HubSpot integration developer API… | |||
| CVE-2024-28890 | 0.00 | — | 0.01 | Apr 23, 2024 | Forminator prior to 1.29.0 contains an unrestricted upload of file with dangerous type vulnerability. If this vulnerability is exploited, a remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a… | |||
| CVE-2023-5119 | 0.00 | — | 0.00 | Nov 20, 2023 | The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed… | |||
| CVE-2023-3134 | 0.00 | — | 0.04 | Jul 31, 2023 | The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks. | |||
| CVE-2023-2010 | 0.00 | — | 0.00 | Jul 4, 2023 | The Forminator WordPress plugin before 1.24.1 does not use an atomic operation to check whether a user has already voted, and then update that information. This leads to a Race Condition that may allow a single user to vote multiple times on a poll. | |||
| CVE-2021-36821 | 0.00 | — | 0.00 | Mar 16, 2023 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPMU DEV Forminator allows Stored XSS.This issue affects Forminator: from n/a through 1.14.11. | |||
| CVE-2021-24700 | 0.00 | — | 0.01 | Nov 23, 2021 | The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | |||
| CVE-2019-9568 | 0.00 | — | 0.02 | Mar 4, 2019 | The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/admin.php?page=forminator-entries entry[] parameter if the attacker has the delete permission. | |||
| CVE-2019-9567 | 0.00 | — | 0.01 | Mar 4, 2019 | The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a poll. |
- CVE-2024-9352Oct 17, 2024risk 0.00cvss —epss 0.00
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. This is due to missing or incorrect nonce validation on the custom form 'create_module'…
- CVE-2024-45625Sep 9, 2024risk 0.00cvss —epss 0.00
Cross-site scripting vulnerability exists in Forminator versions prior to 1.34.1. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who follows a crafted URL and accesses the webpage with the web form created by Forminator.
- CVE-2024-7389Aug 2, 2024risk 0.00cvss —epss 0.01
The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.29.1 via class-forminator-addon-hubspot-wp-api.php. This makes it possible for unauthenticated attackers to extract the HubSpot integration developer API…
- CVE-2024-28890Apr 23, 2024risk 0.00cvss —epss 0.01
Forminator prior to 1.29.0 contains an unrestricted upload of file with dangerous type vulnerability. If this vulnerability is exploited, a remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a…
- CVE-2023-5119Nov 20, 2023risk 0.00cvss —epss 0.00
The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed…
- CVE-2023-3134Jul 31, 2023risk 0.00cvss —epss 0.04
The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks.
- CVE-2023-2010Jul 4, 2023risk 0.00cvss —epss 0.00
The Forminator WordPress plugin before 1.24.1 does not use an atomic operation to check whether a user has already voted, and then update that information. This leads to a Race Condition that may allow a single user to vote multiple times on a poll.
- CVE-2021-36821Mar 16, 2023risk 0.00cvss —epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPMU DEV Forminator allows Stored XSS.This issue affects Forminator: from n/a through 1.14.11.
- CVE-2021-24700Nov 23, 2021risk 0.00cvss —epss 0.01
The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
- CVE-2019-9568Mar 4, 2019risk 0.00cvss —epss 0.02
The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/admin.php?page=forminator-entries entry[] parameter if the attacker has the delete permission.
- CVE-2019-9567Mar 4, 2019risk 0.00cvss —epss 0.01
The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a poll.
Page 2 of 2