Vulnerabilities > Incsub > Forminator
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-09-09 | CVE-2024-45625 | Cross-site Scripting vulnerability in Incsub Forminator Cross-site scripting vulnerability exists in Forminator versions prior to 1.34.1. | 6.1 |
| 2023-11-20 | CVE-2023-5119 | Cross-site Scripting vulnerability in Incsub Forminator The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup). | 4.8 |
| 2023-11-15 | CVE-2023-6133 | Unrestricted Upload of File with Dangerous Type vulnerability in Incsub Forminator The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. | 4.9 |
| 2023-08-30 | CVE-2023-4596 | Unspecified vulnerability in Incsub Forminator The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. | 9.8 |
| 2023-07-31 | CVE-2023-3134 | Unspecified vulnerability in Incsub Forminator The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks. | 6.1 |
| 2023-07-12 | CVE-2021-4417 | Unspecified vulnerability in Incsub Forminator The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.13.4. | 4.3 |
| 2023-07-04 | CVE-2023-2010 | Race Condition vulnerability in Incsub Forminator The Forminator WordPress plugin before 1.24.1 does not use an atomic operation to check whether a user has already voted, and then update that information. | 3.1 |
| 2023-03-16 | CVE-2021-36821 | Cross-site Scripting vulnerability in Incsub Forminator Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPMU DEV Forminator allows Stored XSS.This issue affects Forminator: from n/a through 1.14.11. | 6.1 |
| 2021-11-23 | CVE-2021-24700 | Cross-site Scripting vulnerability in Incsub Forminator The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | 3.5 |
| 2019-03-04 | CVE-2019-9568 | SQL Injection vulnerability in Incsub Forminator The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/admin.php?page=forminator-entries entry[] parameter if the attacker has the delete permission. | 6.5 |