Skip to main content

Forminator CVE-2026-57814

| EUVDEUVD-2026-43426 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.1 MEDIUM

DOM-based XSS is network-reachable with no privileges but needs victim interaction (UI:R); browser-context execution justifies S:C and C:L/I:L, while availability impact is not realistic, so A:N.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:25 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Forminator forminator allows DOM-Based XSS.This issue affects Forminator: from n/a through <= 1.55.0.1.

AnalysisAI

DOM-based cross-site scripting in the WPMU DEV Forminator WordPress plugin (versions up to and including 1.55.0.1) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the victim interacts with a maliciously crafted link or page element. Reported by Patchstack and rated CVSS 7.1, the flaw carries a scope-changing impact but requires user interaction; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious URL with XSS payload
Delivery
Deliver link to logged-in user via phishing
Exploit
Victim opens page, DOM sink renders payload
Execution
Script executes in victim browser session
Impact
Steal session cookies or forge admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to interact with attacker-controlled input - specifically opening a crafted URL or triggering a page element that Forminator's client-side JavaScript renders into the DOM without sanitization (UI:R in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, base 7.1) indicates network reach, low complexity, and no privileges, but crucially requires user interaction (UI:R), which is the primary limiting factor and is consistent with DOM-based XSS delivered via a crafted link. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to a page on the target WordPress site that embeds a malicious script payload in a location Forminator's client-side code reflects into the DOM (such as a URL fragment or query parameter). The attacker sends this link to a logged-in administrator or editor via phishing; when the victim opens it, the script executes in their authenticated session and can exfiltrate cookies, forge admin actions, or plant persistent content. …
Remediation Upgrade Forminator to the next release published after 1.55.0.1; the fixed version is not explicitly stated in the provided data and should be confirmed directly from the Patchstack advisory or the WordPress.org plugin changelog before deployment (Patch available per vendor advisory, released patched version not independently confirmed). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit WordPress installations to identify affected Forminator plugin versions (1.55.0.1 and earlier) and segregate impacted sites from user-facing traffic if possible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-4596 CRITICAL POC
9.8 Aug 30

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after

CVE-2024-7389 HIGH POC
7.5 Aug 02

The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including

CVE-2019-9568 MEDIUM POC
6.5 Mar 04

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/ad

CVE-2023-3134 MEDIUM POC
6.1 Jul 31

The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form field

CVE-2019-9567 MEDIUM POC
6.1 Mar 04

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a

CVE-2021-4417 MEDIUM POC
5.4 Jul 12

The Forminator - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Reque

CVE-2025-6463 HIGH
8.8 Jul 02

The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary

CVE-2023-5119 MEDIUM POC
4.8 Nov 20

The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission s

CVE-2021-24700 MEDIUM POC
4.8 Nov 23

The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high

CVE-2025-6464 HIGH
7.5 Jul 02

The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to PHP Object

CVE-2024-1794 HIGH
7.2 Apr 09

The Forminator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. Rated high s

CVE-2026-57815 HIGH
7.5 Jul 13

Arbitrary file download via path traversal in the Forminator WordPress plugin (WPMU DEV) affects all versions up to and

Share

CVE-2026-57814 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy