Reflected Cross-Site Scripting Vulnerability in Forminator Forms Plugin by WordPress
CVE-2025-0470

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vendor: CVE Published:; 31 January 2025

Summary

The Forminator Forms plugin, used for creating contact forms and other applications on WordPress sites, contains a vulnerability that allows for reflected cross-site scripting. This weakness arises from inadequate input sanitization and insufficient output escaping of the title parameter across all versions up to and including 1.38.2. It enables unauthenticated attackers to inject arbitrary scripts into web pages. If an unsuspecting user clicks a specially crafted link, malicious scripts could be executed within their browser, potentially leading to unauthorized actions and compromise of sensitive information.

Affected Version(s)

Forminator Forms – Contact Form, Payment Form & Custom Form Builder * <= 1.38.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/forminator/tag...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 31, 2025
Vulnerability Reserved
Jan 14, 2025

Credit

Asaf Mozes