Skip to main content

Forminator EUVDEUVD-2026-39384

| CVE-2026-56071 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-25 Patchstack GHSA-h3hf-xcf9-4v9v
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network-reachable XSS (AV:N/PR:N) needs victim interaction (UI:R) and executes in a changed browser scope (S:C) with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:24 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Forminator <= 1.53.1 versions.

AnalysisAI

Cross-site scripting in the Forminator WordPress plugin (versions 1.53.1 and earlier, by WPMU DEV) lets unauthenticated remote attackers inject malicious script that executes in a victim's browser when they interact with crafted content. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C, score 7.1) confirms no authentication is required but that user interaction triggers the payload, and the changed scope means the injected script runs in a security context beyond the vulnerable component. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft XSS payload for Forminator field
Delivery
Deliver via malicious link or submission
Exploit
Victim loads affected page
Execution
Script executes in victim browser
Impact
Hijack session or perform victim actions

Vulnerability AssessmentAI

Exploitation Exploitation requires no authentication (PR:N) and is reachable over the network (AV:N) against Forminator 1.53.1 and earlier, but it is gated by user interaction (UI:R): a victim must click an attacker-crafted link or load a page containing the injected payload for the script to fire. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious link or form submission containing a script payload targeting a vulnerable Forminator endpoint, then lures a site visitor or administrator into clicking it or viewing the affected page. When the unsanitized input is rendered, the script executes in the victim's browser, enabling session token theft, defacement, or actions performed as the victim. …
Remediation No vendor-released patch version was identified in the provided data; the affected range is up to and including 1.53.1, so the primary action is to upgrade Forminator to the latest available release beyond 1.53.1 via the WordPress plugin updater and confirm the fixed version against the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/forminator/vulnerability/wordpress-forminator-plugin-1-53-1-cross-site-scripting-xss-vulnerability). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for Forminator plugin version 1.53.1 or earlier; document affected systems and user exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-4596 CRITICAL POC
9.8 Aug 30

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after

CVE-2024-7389 HIGH POC
7.5 Aug 02

The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including

CVE-2019-9568 MEDIUM POC
6.5 Mar 04

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/ad

CVE-2023-3134 MEDIUM POC
6.1 Jul 31

The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form field

CVE-2019-9567 MEDIUM POC
6.1 Mar 04

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a

CVE-2021-4417 MEDIUM POC
5.4 Jul 12

The Forminator - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Reque

CVE-2025-6463 HIGH
8.8 Jul 02

The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary

CVE-2023-5119 MEDIUM POC
4.8 Nov 20

The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission s

CVE-2021-24700 MEDIUM POC
4.8 Nov 23

The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high

CVE-2025-6464 HIGH
7.5 Jul 02

The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to PHP Object

CVE-2024-1794 HIGH
7.2 Apr 09

The Forminator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. Rated high s

CVE-2026-57815 HIGH
7.5 Jul 13

Arbitrary file download via path traversal in the Forminator WordPress plugin (WPMU DEV) affects all versions up to and

Share

EUVD-2026-39384 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy