Forminator

This hub aggregates every CVE we track for Forminator, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Forminator.

• CVE-2026-32409WordPress Forminator plugin <= 1.50.2 - Broken Access Control vulnerability5.3Mar 13, 2026
• CVE-2025-6464Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated PHP Object Injection (PHAR) Triggered via Administrator Form Submission Deletion7.5Jul 2, 2025
• CVE-2025-6463Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion8.8Jul 2, 2025
• CVE-2024-45625Cross-site scripting vulnerability exists in Forminator versions prior to 1.34.1. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who follows ...6.1Sep 9, 2024
• CVE-2024-7389Forminator <= 1.29.1 - HubSpot Developer API Key Sensitive Information Exposure7.5Aug 2, 2024
• CVE-2024-28890Forminator prior to 1.29.0 contains an unrestricted upload of file with dangerous type vulnerability. If this vulnerability is exploited, a remote attacker may obtain sensitive information by acces...5.3Apr 23, 2024
• CVE-2024-31077Forminator prior to 1.29.3 contains a SQL injection vulnerability. If this vulnerability is exploited, a remote authenticated attacker with an administrative privilege may obtain and alter any info...7.2Apr 23, 2024
• CVE-2024-31857Forminator prior to 1.15.4 contains a cross-site scripting vulnerability. If this vulnerability is exploited, a remote attacker may obtain user information etc. and alter the page contents on the u...5.4Apr 23, 2024
• CVE-2024-1794Forminator <= 1.29.0 - Unauthenticated Stored Cross-Site Scripting via File Upload7.2Apr 9, 2024
• CVE-2024-3053Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.29.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via forminator_form Shortcode6.4Apr 9, 2024
• CVE-2024-29777WordPress Forminator plugin <= 1.29.0 - Reflected Cross Site Scripting (XSS) vulnerability7.1Mar 27, 2024
• CVE-2023-5119Forminator and Forminator Pro < 1.27.0 - Admin+ Stored Cross-Site Scripting4.8Nov 20, 2023
• CVE-2023-6133Forminator <= 1.27.0 - Authenticated (Administrator+) Arbitrary File Upload6.6Nov 15, 2023
• CVE-2023-4596Forminator <= 1.24.6 - Unauthenticated Arbitrary File Upload9.8Aug 30, 2023
• CVE-2023-3134Forminator < 1.24.4 - Reflected XSS6.1Jul 31, 2023