Medium 5.3
2026-05-07< 1.52
CVE-2026-6222
Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Minimum safe version
1.53.0.1
Update to 1.53.0.1 or later to address 49 fixable vulnerabilities
Latest available1.53.2 ✓
Medium 6.5
2026-05-07< 1.53.0.1
CVE-2026-6214
Medium 5.3
2026-05-05< 1.52.1
CVE-2026-2729
High 7.5
2026-05-05< 1.52.2
CVE-2026-5192
N/A
2026-02-16< 1.50.3
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.50.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Medium 5.3
2026-03-13< 1.50.3
CVE-2026-32409
Medium 5.3
2026-01-09< 1.49.2
CVE-2025-14782
Medium 4.9
2025-07-18< 1.45.1
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.45.0 - Authenticated (Administrator+) SQL Injection via `order_by` Parameter
High 7.5
2025-07-02< 1.44.3
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated PHP Object Injection (PHAR) Triggered via Administrator Form Submission Deletion
High 8.8
2025-07-02< 1.44.3
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion
Medium 6.4
2025-06-05< 1.44.2
Forminator <= 1.44.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via id and data-size Parameters
Medium 4.8
2025-02-14< 1.38.3
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.38.2 - Authenticated (Admin+) Stored Cross-Site Scripting
Medium 5.3
2025-04-17< 1.42.1
Forminator <= 1.42.0 - Order Replay Vulnerability
Medium 6.4
2025-04-17< 1.42.1
Forminator <= 1.42.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'limit'
Medium 6.4
2025-02-27< 1.39.3
Forminator <= 1.39.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Medium 6.1
2025-01-31< 1.38.3
WordPress Forminator Plugin <= 1.38.2 is vulnerable to Cross Site Scripting (XSS)
Medium 5.3
2024-10-31< 1.36.1
CVE-2024-9700
High 7.5
2024-10-28< 1.36.0
WordPress Forminator Plugin <= 1.35.1 is vulnerable to Broken Access Control
Medium 4.3
2024-10-17< 1.36.0
CVE-2024-9351
Medium 4.3
2024-10-17< 1.36.0
CVE-2024-9352
Medium 6.1
2024-09-09< 1.34.1
CVE-2024-45625
High 7.5
2024-08-02< 1.29.2
CVE-2024-7389
High 7.2
2024-04-23< 1.29.3
CVE-2024-31077
Medium 5.4
2024-04-23< 1.15.4
CVE-2024-31857
Medium 5.3
2024-04-23< 1.29.0
CVE-2024-28890
Medium 5.4
2024-04-09< 1.29.3
CVE-2024-3053
Medium 6.1
2024-04-09< 1.29.1
CVE-2024-1794
High 7.1
2024-03-27< 1.29.1
CVE-2024-29777
Medium 4.8
2023-11-20< 1.27.0
CVE-2023-5119
Medium 4.9
2023-11-15< 1.28.0
CVE-2023-6133
Critical 9.8
2023-08-30< 1.25.0
CVE-2023-4596
Medium 6.1
2023-07-31< 1.24.4
CVE-2023-3134
N/A
2023-04-12< 1.23.3
Forminator <= 1.22.1 - Missing Authorization on 'hubspot_support_request' AJAX function
Medium 4.3
2023-07-12< 1.13.5
CVE-2021-4417
Low 3.1
2023-07-04< 1.24.1
CVE-2023-2010
N/A
2023-06-07< 1.14.8.1
CVE-2021-4342
N/A
2023-04-13< 1.23.3
WordPress Forminator Plugin <= 1.22.1 is vulnerable to Broken Access Control
N/A
2023-04-12< 1.23.3
Forminator <= 1.22.1 - Missing Authorization on 'load_recaptcha_preview' AJAX function
N/A
2023-04-12< 1.23.3
Forminator <= 1.22.1 - Missing Authorization on 'load_hcaptcha_preview' AJAX function
High 7.1
2023-07-14< 1.14.12
WordPress Forminator Plugin <= 1.14.11 is vulnerable to Cross Site Scripting (XSS)
N/A
< 1.14.8.1
Various Affected Software (Various Versions) - Cross-Site Request Forgery Bypass
N/A
< 1.14.8.1
Multiple Plugins - CSRF Nonce Bypasses
N/A
2019-02-06< 1.6
WordPress Forminator plugin <= 1.5.4 - Authenticated Blind SQL Injection (SQLi) vulnerability
N/A
2019-02-06< 1.6
WordPress Forminator plugin <= 1.5.4 - Unauthenticated Persistent Cross-Site Scripting (XSS) vulnerability
N/A
2020-09-16< 1.13.5
WordPress Forminator plugin <= 1.13.4 - Cross-Site Request Forgery (CSRF) vulnerability
N/A
2021-03-01< 1.14.8.1
WordPress Forminator plugin <= 1.14.8 - Cross-Site Request Forgery (CSRF) vulnerability
Medium 6.5
2019-03-04< 1.6
CVE-2019-9568
Medium 6.1
2019-03-04< 1.6
CVE-2019-9567
Medium 4.8
2021-11-23< 1.15.4
CVE-2021-24700