Description
Unauthenticated Cross Site Scripting (XSS) in Forminator <= 1.53.1 versions.
Published: 2026-06-25
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated cross‑site scripting flaw in the Forminator plugin for WordPress, affecting all versions 1.53.1 and earlier. A malicious actor can inject arbitrary JavaScript into the plugin’s form rendering routine, which will execute in the browsers of anyone who views the affected page. This flaw aligns with CWE‑79.

Affected Systems

The affected product is the WPMU DEV Forminator plugin for WordPress, with all releases up to and including 1.53.1 vulnerable. Users running these versions are at risk if they host or display the plugin’s forms.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high severity. The EPSS score is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw is unauthenticated and relies on user‑visible rendering, any public or internal page that loads Forminator forms can be targeted. Successful exploitation would inject client‑side code that runs within the context of the viewing user's browser.

Generated by OpenCVE AI on June 25, 2026 at 16:17 UTC.

Remediation

Vendor Solution

Update the WordPress Forminator Plugin to the latest available version (at least 1.53.2).

OpenCVE Recommended Actions

  • Update the Forminator plugin to version 1.53.2 or later.
  • If an immediate upgrade is not possible, temporarily disable or remove the Forminator plugin from public pages.
  • Sanitize and encode any user‑supplied input or output rendered by the plugin, following best practices for preventing XSS (CWE‑79).

Generated by OpenCVE AI on June 25, 2026 at 16:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Forminator <= 1.53.1 versions.
Title WordPress Forminator plugin <= 1.53.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-25T14:52:38.046Z

Reserved: 2026-06-18T14:38:18.949Z

Link: CVE-2026-56071

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:30:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')