Unauthenticated Cross Site Scripting Vulnerability in Forminator Plugin by WordPress
CVE-2026-56071

7.1HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
25 June 2026

What is CVE-2026-56071?

The Forminator plugin for WordPress is affected by an unauthenticated Cross Site Scripting (XSS) vulnerability that impacts versions up to 1.53.1. This issue allows attackers to inject malicious scripts into the web pages viewed by users, potentially leading to compromise of user sessions, redirection to malicious sites, or unauthorized actions performed in the context of the logged-in user.

Affected Version(s)

Forminator <= 1.53.1

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

daroo | Patchstack Bug Bounty Program
.