Description
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the title parameter in all versions up to, and including, 1.38.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-01-31
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The Forminator plugin includes a flaw that allows unauthenticated attackers to embed malicious scripts via the title parameter. Unsanitized input is added directly to the page output, enabling the injection of arbitrary JavaScript. Attackers can leverage this by crafting a link or message that a victim clicks, at which point the malicious code executes in the victim’s browser, potentially leading to defacement, phishing, or session hijacking.

Affected Systems

All instances of the Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin released by WPMUDEV up to and including version 1.38.2 are impacted. Any WordPress site deploying these releases is susceptible to the reflected XSS flaw.

Risk and Exploitability

The CVSS score is 6.1 and the EPSS score indicates a very low exploitation probability (<1%). Attackers do not need authenticated access, but they must entice a user into clicking a crafted URL or link that supplies a malicious title value. The vulnerability is not listed in the CISA KEV catalog, so there are currently no large‑scale exploitation reports.

Generated by OpenCVE AI on April 21, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Forminator plugin to the latest release that removes the unsanitized title handling.
  • If an upgrade cannot be performed immediately, add a custom filter to sanitize the title parameter (e.g., strip or escape script tags using WordPress’s sanitize_text_field or wp_kses before output).
  • Configure a Web Application Firewall or security plugin to block or sanitize requests that contain script tags in the title value.

Generated by OpenCVE AI on April 21, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1695 The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the title parameter in all versions up to, and including, 1.38.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
History

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00129}

 epss

{'score': 0.00165}

Fri, 23 May 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Wpmudev
Wpmudev forminator Forms
CPEs cpe:2.3:a:wpmudev:forminator_forms:*:*:*:*:free:wordpress:*:*
Vendors & Products Wpmudev
Wpmudev forminator Forms

Fri, 31 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 31 Jan 2025 03:30:00 +0000

Type Values Removed Values Added
Description The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the title parameter in all versions up to, and including, 1.38.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Forminator <= 1.38.2 - Reflected Cross-Site Scripting via Title Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wpmudev Forminator Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:17.289Z

Reserved: 2025-01-14T12:38:42.715Z

Link: CVE-2025-0470

cve-icon Vulnrichment

Updated: 2025-01-31T16:51:40.508Z

cve-icon NVD

Status : Analyzed

Published: 2025-01-31T04:15:09.053

Modified: 2025-05-23T16:14:15.927

Link: CVE-2025-0470

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:30:06Z

Weaknesses