CVE-2025-5341 in Forminator Plugin
Summary
by MITRE • 06/05/2025
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id' and 'data-size’ parameters in all versions up to, and including, 1.44.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/23/2026
The Forminator plugin for WordPress represents a widely deployed solution for creating various types of forms including contact forms, payment forms, and custom form builders. This vulnerability affects all versions up to and including 144.1, making it a significant concern for WordPress site administrators who rely on this plugin for their web presence. The issue manifests as a stored cross-site scripting vulnerability that specifically targets the 'id' and 'data-size' parameters within the plugin's functionality.
The technical flaw stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase. When authenticated attackers with Contributor-level access or higher submit form data containing malicious scripts through these parameters, the system fails to properly validate or escape the input before storing it in the database. This stored malicious content then executes whenever any user accesses pages containing the injected script, creating a persistent security risk that can affect all visitors to the compromised website.
The operational impact of this vulnerability extends beyond simple script execution as it enables attackers to perform various malicious activities including credential theft, session hijacking, and data exfiltration. Attackers can leverage this vulnerability to inject scripts that redirect users to phishing sites, steal cookies and session information, or even inject malware delivery mechanisms. The fact that this affects users with Contributor-level access means that even relatively low-privilege accounts can potentially compromise entire websites, making this particularly dangerous in environments where multiple users have varying levels of access.
This vulnerability maps directly to CWE-79 which describes cross-site scripting flaws resulting from insufficient input sanitization and output escaping. The attack pattern aligns with ATT&CK technique T1566.001 which covers credential access through phishing attacks, as attackers can use XSS to steal authentication tokens and session data. Additionally, the vulnerability demonstrates characteristics of T1213.002 which involves data from information repositories, since the stored nature of the attack allows for persistent access to user data through the compromised form submissions.
Organizations should immediately update to the latest version of the Forminator plugin where this vulnerability has been addressed. In the interim, administrators should implement additional security measures including restricting user privileges to limit access to only necessary functionality, implementing content security policies to prevent script execution, and monitoring for suspicious form submissions. The vulnerability highlights the critical importance of input validation and output escaping in web applications, particularly those handling user-generated content. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other plugins and themes.