Vulnerabilities > Incsub

DATE CVE VULNERABILITY TITLE RISK
2024-09-09 CVE-2024-45625 Cross-site Scripting vulnerability in Incsub Forminator
Cross-site scripting vulnerability exists in Forminator versions prior to 1.34.1.
network
low complexity
incsub CWE-79
6.1
2023-11-20 CVE-2023-5119 Cross-site Scripting vulnerability in Incsub Forminator
The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).
network
low complexity
incsub CWE-79
4.8
2023-11-15 CVE-2023-6133 Unrestricted Upload of File with Dangerous Type vulnerability in Incsub Forminator
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0.
network
low complexity
incsub CWE-434
4.9
2023-08-30 CVE-2023-4596 Unspecified vulnerability in Incsub Forminator
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6.
network
low complexity
incsub
critical
9.8
2023-07-31 CVE-2023-3134 Unspecified vulnerability in Incsub Forminator
The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks.
network
low complexity
incsub
6.1
2023-07-12 CVE-2021-4417 Unspecified vulnerability in Incsub Forminator
The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.13.4.
network
low complexity
incsub
4.3
2023-07-04 CVE-2023-2010 Race Condition vulnerability in Incsub Forminator
The Forminator WordPress plugin before 1.24.1 does not use an atomic operation to check whether a user has already voted, and then update that information.
network
high complexity
incsub CWE-362
3.1
2023-04-10 CVE-2023-1478 Unspecified vulnerability in Incsub Hummingbird
The Hummingbird WordPress plugin before 3.4.2 does not validate the generated file path for page cache files before writing them, leading to a path traversal vulnerability in the page cache module.
network
low complexity
incsub
critical
9.8
2023-03-16 CVE-2021-36821 Cross-site Scripting vulnerability in Incsub Forminator
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPMU DEV Forminator allows Stored XSS.This issue affects Forminator: from n/a through 1.14.11.
network
low complexity
incsub CWE-79
6.1
2022-04-18 CVE-2022-0994 Cross-site Scripting vulnerability in Incsub Hummingbird
The Hummingbird WordPress plugin before 3.3.2 does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
network
incsub CWE-79
3.5