Stored Cross-Site Scripting Vulnerability in Forminator Forms Plugin for WordPress
CVE-2025-3487

6.4MEDIUM

Key Information:

Vendor
WordPress
Status
Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vendor
CVE Published:
17 April 2025

Summary

The Forminator Forms plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability via the 'limit' parameter due to inadequate input sanitization and output escaping. This issue affects all versions up to and including 1.42.0, allowing authenticated attackers, with Contributor-level access or higher, to inject arbitrary web scripts. These scripts can execute on pages when other users access them, potentially leading to unauthorized actions or data exposure.

Affected Version(s)

Forminator Forms – Contact Form, Payment Form & Custom Form Builder * <= 1.42.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/forminator/tag...
https://plugins.trac.wordpress.org/browser/forminator/tag...

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Asaf Mozes
.