Incsub

Forminator

20 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
4.8

CVE-2023-5119

Exploit
  • EPSS 0.09%
  • Published 20.11.2023 19:15:09
  • Last modified 21.11.2024 08:41:05

The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_...

4.9

CVE-2023-6133

  • EPSS 0.2%
  • Published 15.11.2023 07:15:14
  • Last modified 21.11.2024 08:43:12

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. This makes it possible for authenticated attackers ...

9.8

CVE-2023-4596

Exploit
  • EPSS 93.07%
  • Published 30.08.2023 02:15:09
  • Last modified 21.11.2024 08:35:30

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it...

6.1

CVE-2023-3134

Exploit
  • EPSS 0.12%
  • Published 31.07.2023 10:15:10
  • Last modified 21.11.2024 08:16:32

The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks.

4.3

CVE-2021-4417

Exploit
  • EPSS 0.13%
  • Published 12.07.2023 04:15:11
  • Last modified 21.11.2024 06:37:40

The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.13.4. This is due to missing or incorrect nonce validation on the listen_for_saving...

3.1

CVE-2023-2010

Exploit
  • EPSS 0.05%
  • Published 04.07.2023 08:15:10
  • Last modified 21.11.2024 07:57:45

The Forminator WordPress plugin before 1.24.1 does not use an atomic operation to check whether a user has already voted, and then update that information. This leads to a Race Condition that may allow a single user to vote multiple times on a poll.

6.1

CVE-2021-36821

  • EPSS 0.07%
  • Published 16.03.2023 15:15:10
  • Last modified 21.11.2024 06:14:09

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPMU DEV Forminator allows Stored XSS.This issue affects Forminator: from n/a through 1.14.11.

4.8

CVE-2021-24700

Exploit
  • EPSS 0.21%
  • Published 23.11.2021 20:15:09
  • Last modified 21.11.2024 05:53:35

The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed

6.1

CVE-2019-9567

Exploit
  • EPSS 0.6%
  • Published 04.03.2019 18:29:00
  • Last modified 21.11.2024 04:51:52

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a poll.

6.5

CVE-2019-9568

Exploit
  • EPSS 0.65%
  • Published 04.03.2019 18:29:00
  • Last modified 21.11.2024 04:51:52

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/admin.php?page=forminator-entries entry[] parameter if the attacker has the delete permission.