Forminator forms – contact form, payment form & custom form builder

This hub aggregates every CVE we track for Forminator forms – contact form, payment form & custom form builder, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Forminator forms – contact form, payment form & custom form builder.

• CVE-2026-6214Forminator Forms <= 1.53.0 - Missing Authorization to Authenticated (Subscriber+) Scheduled Form Submission Export via forminator_export_entries Action on wp_loaded Hook6.5May 7, 2026
• CVE-2026-6222Forminator Forms <= 1.51.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'forminator_action' Parameter5.3May 7, 2026
• CVE-2026-5192Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.52.1 - Unauthenticated Arbitrary File Read via 'upload-1[file][file_path]'7.5May 5, 2026
• CVE-2026-2729Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.52.0 - Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass via 'paymentid' Parameter5.3May 5, 2026
• CVE-2026-2002Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.50.2 - Authenticated (Administrator+) Stored Cross-Site Scripting4.4Feb 17, 2026
• CVE-2025-14782Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.49.1 - Missing Authorization to Authenticated (Forminator User+) CSV Export5.3Jan 9, 2026
• CVE-2025-7638Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.45.0 - Authenticated (Administrator+) SQL Injection via `order_by` Parameter4.9Jul 18, 2025
• CVE-2025-6464Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated PHP Object Injection (PHAR) Triggered via Administrator Form Submission Deletion7.5Jul 2, 2025
• CVE-2025-6463Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion8.8Jul 2, 2025
• CVE-2025-5341Forminator <= 1.44.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via id and data-size Parameters6.4Jun 5, 2025
• CVE-2025-3479Forminator <= 1.42.0 - Order Replay Vulnerability5.3Apr 17, 2025
• CVE-2025-3487Forminator <= 1.42.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'limit'6.4Apr 17, 2025
• CVE-2025-0469Forminator <= 1.39.2 - Authenticated (Contributor+) Stored Cross-Site Scripting6.4Feb 27, 2025
• CVE-2025-0470Forminator <= 1.38.2 - Reflected Cross-Site Scripting via Title Parameter6.1Jan 31, 2025
• CVE-2024-9700Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.36.0 - Insecure Direct Object Reference to Submission Manipulation5.3Oct 31, 2024