WordPress Plugin Vulnerabilities

Forminator < 1.14.12 - Unauthenticated Stored XSS

Description

The plugin does not sanitise and escape some parameters, which could allow unauthenticted users to perform Cross-Site Scripting attacks

Affects Plugins

Plugin icon
forminator
Fixed in 1.14.12

References

CVE
CVE-2021-36821

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Jörgson
Verified
No
WPVDB ID
c957f2cd-989e-4c61-8c35-964eea8d530b

Timeline

Publicly Published
2021-07-14 (about 4 years ago)
Added
2023-03-16 (about 3 years ago)
Last Updated
2023-03-16 (about 3 years ago)

Other

Published
Title
Published
2025-06-18
Title
WPBakery Page Builder < 8.5 - Authenticated (Author+) Stored Cross-Site Scripting via Grid Builder
Published
2025-06-19
Title
ANON::form embedded secure form < 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-04-10
Title
Top Bar < 3.0.4 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2025-07-25
Title
Wonder Slider Lite & Wonder Slider <= 14.4 - Authenticated (Contributor+) Dom-based Stored Cross-Site Scripting
Published
2025-09-09
Title
Welcart e-Commerce < 2.11.21 - Authenticated (Editor+) Stored Cross-Site Scripting