Description
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form_name parameter in all versions up to, and including, 1.50.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The plugin allows admins to give form management permissions to lower level users, which could make this exploitable by users such as subscribers.
Published: 2026-02-17
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Forminator Forms plugin for WordPress contains a stored cross‑site scripting flaw in the form_name parameter, allowing authenticated administrators or users with form‑management rights to inject malicious scripts that persist in the database and execute whenever a page containing the form is viewed. The underlying weakness is insufficient input sanitization and output escaping (CWE‑79).

Affected Systems

The vulnerability affects all installations of the Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin up to and including version 1.50.2. WordPress sites running these versions, especially those that grant form‑management permissions to subscriber or lower‑level roles, are susceptible. Upgrading to version 1.50.3 or later removes the flaw.

Risk and Exploitability

The CVSS score is 4.4, indicating moderate risk, while the EPSS score is less than 1%, suggesting a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Attackers must have authenticated access, typically as administrators or privileged users with form‑management rights, and then submit a specially crafted form_name payload. Once stored, the script executes in the browser context of any visitor to the affected page.

Generated by OpenCVE AI on April 15, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Forminator plugin to version 1.50.3 or later to resolve the stored XSS flaw.
  • Review user roles and remove form‑management permissions from subscriber or lower‑level accounts, limiting editing of the form_name field to trusted administrators.
  • Implement input validation for the form_name field, ensuring that any content is properly sanitized or escaped before storage.

Generated by OpenCVE AI on April 15, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpmudev
Wpmudev forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vendors & Products Wordpress
Wordpress wordpress
Wpmudev
Wpmudev forminator Forms – Contact Form, Payment Form & Custom Form Builder

Tue, 17 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Description The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form_name parameter in all versions up to, and including, 1.50.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The plugin allows admins to give form management permissions to lower level users, which could make this exploitable by users such as subscribers.
Title Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.50.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpmudev Forminator Forms – Contact Form, Payment Form & Custom Form Builder
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:50:48.539Z

Reserved: 2026-02-05T17:57:40.857Z

Link: CVE-2026-2002

cve-icon Vulnrichment

Updated: 2026-02-17T14:36:28.636Z

cve-icon NVD

Status : Deferred

Published: 2026-02-17T05:16:17.080

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2002

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:30:13Z

Weaknesses