Wpmudev Forminator Forms – Contact Form, Payment Form & Custom Form Builder
24 CVEs affecting Wpmudev Forminator Forms – Contact Form, Payment Form & Custom Form Builder. Latest disclosed: 2026-05-07. Critical: 1, High: 6.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-4596 | Critical | 9.8 | 2023-08-30 | The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server… |
CVE-2025-6463 | High | 8.8 | 2025-07-02 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file… |
CVE-2026-5192 | High | 7.5 | 2026-05-05 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Path Traversal in versions up to, and including… |
CVE-2025-6464 | High | 7.5 | 2025-07-02 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and i… |
CVE-2024-10402 | High | 7.5 | 2024-10-26 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability c… |
CVE-2024-7389 | High | 7.5 | 2024-08-02 | The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.29.1 via class-forminator-addon-hub… |
CVE-2024-1794 | High | 7.2 | 2024-04-09 | The Forminator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. 3gpp file) in all versions up to, and including, 1… |
CVE-2023-6133 | Medium | 6.6 | 2023-11-15 | The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in… |
CVE-2026-6214 | Medium | 6.5 | 2026-05-07 | The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listen_for_saving_e… |
CVE-2025-5341 | Medium | 6.4 | 2025-06-05 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id' and 'dat… |
CVE-2025-3487 | Medium | 6.4 | 2025-04-17 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘limit’ param… |
CVE-2025-0469 | Medium | 6.4 | 2025-02-27 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slider templa… |
CVE-2024-3053 | Medium | 6.4 | 2024-04-09 | The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ forminator_for… |
CVE-2025-0470 | Medium | 6.1 | 2025-01-31 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the title para… |
CVE-2021-4417 | Medium | 5.4 | 2023-07-12 | The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and inclu… |
CVE-2026-6222 | Medium | 5.3 | 2026-05-07 | The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the `processRequest()`… |
CVE-2026-2729 | Medium | 5.3 | 2026-05-05 | The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly… |
CVE-2025-14782 | Medium | 5.3 | 2026-01-09 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and i… |
CVE-2025-3479 | Medium | 5.3 | 2025-04-17 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Order Replay in all versions up to, and including… |
CVE-2024-9700 | Medium | 5.3 | 2024-10-31 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions… |