Skip to main content

Forminator CVE-2023-6133

MEDIUM
Unrestricted Upload of File with Dangerous Type (CWE-434)
2023-11-15 security@wordfence.com
6.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.6 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch released
Apr 08, 2026 - 17:22 nvd
Patch available
CVE Published
Nov 15, 2023 - 07:15 nvd
MEDIUM 6.6

DescriptionCVE.org

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. This makes it possible for authenticated attackers with administrator-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed.

AnalysisAI

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Technical ContextAI

This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. This makes it possible for authenticated attackers with administrator-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed. Affected products include: Incsub Forminator.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.

CVE-2023-4596 CRITICAL POC
9.8 Aug 30

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after

CVE-2024-7389 HIGH POC
7.5 Aug 02

The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including

CVE-2019-9568 MEDIUM POC
6.5 Mar 04

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/ad

CVE-2023-3134 MEDIUM POC
6.1 Jul 31

The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form field

CVE-2019-9567 MEDIUM POC
6.1 Mar 04

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a

CVE-2021-4417 MEDIUM POC
5.4 Jul 12

The Forminator - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Reque

CVE-2025-6463 HIGH
8.8 Jul 02

The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary

CVE-2023-5119 MEDIUM POC
4.8 Nov 20

The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission s

CVE-2021-24700 MEDIUM POC
4.8 Nov 23

The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high

CVE-2025-6464 HIGH
7.5 Jul 02

The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to PHP Object

CVE-2024-1794 HIGH
7.2 Apr 09

The Forminator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. Rated high s

CVE-2026-57815 HIGH
7.5 Jul 13

Arbitrary file download via path traversal in the Forminator WordPress plugin (WPMU DEV) affects all versions up to and

Share

CVE-2023-6133 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy