cve,link,title,description,vendor,products,score,severity,epss,cisa,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-10402,https://securityvulnerability.io/vulnerability/CVE-2024-10402,Unauthorized Access Vulnerability in The Forminator Forms Plugin for WordPress,"The Forminator Forms plugin for WordPress encompasses a security flaw that allows authenticated users with Contributor-level access or higher to bypass essential capability checks. This vulnerability exists in all versions through 1.35.1, potentially permitting attackers to create, edit, and manipulate forms. Notably, this could lead to unauthorized updates of default registration roles, specifically enabling Users to be assigned as Administrators, posing significant risks to data integrity and user access controls.",WPmudev,"Forminator Forms – Contact Form, Payment Form & Custom Form Builder",7.5,HIGH,0.0005000000237487257,false,false,false,false,,false,false,2024-10-26T11:38:03.383Z,0
CVE-2024-9351,https://securityvulnerability.io/vulnerability/CVE-2024-9351,The Forminator Forms Plugin Vulnerable to Cross-Site Request Forgery,"The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. This is due to missing or incorrect nonce validation on the quiz 'create_module' function. This makes it possible for unauthenticated attackers to create draft quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",WPmudev,"Forminator Forms – Contact Form, Payment Form & Custom Form Builder",4.3,MEDIUM,0.0005200000014156103,false,false,false,false,,false,false,2024-10-17T05:33:09.391Z,0
CVE-2024-9352,https://securityvulnerability.io/vulnerability/CVE-2024-9352,Cross-Site Request Forgery Vulnerability in Forminator Forms,"The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. This is due to missing or incorrect nonce validation on the custom form 'create_module' function. This makes it possible for unauthenticated attackers to create draft forms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",WPmudev,"Forminator Forms – Contact Form, Payment Form & Custom Form Builder",4.3,MEDIUM,0.0005200000014156103,false,false,false,false,,false,false,2024-10-17T05:33:08.753Z,0
CVE-2024-1794,https://securityvulnerability.io/vulnerability/CVE-2024-1794,Stored Cross-Site Scripting Vulnerability in The Forminator Plugin for WordPress,"The Forminator plugin for WordPress has a vulnerability that allows for Stored Cross-Site Scripting (XSS) through the upload of harmful files, such as 3gpp files. This issue arises from inadequate input sanitization and improper output escaping, enabling unauthenticated attackers to introduce arbitrary web scripts. These scripts execute whenever a user accesses the compromised page, potentially leading to unauthorized actions and data exposure.",WPmudev,"Forminator – Contact Form, Payment Form & Custom Form Builder",7.2,HIGH,0.0004299999854993075,false,false,false,false,,false,false,2024-04-09T18:58:38.653Z,0
CVE-2024-3053,https://securityvulnerability.io/vulnerability/CVE-2024-3053,Stored Cross-Site Scripting Vulnerability in The Forminator Plugin,"The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ forminator_form shortcode attribute in versions up to, and including, 1.29.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",WPmudev,"Forminator – Contact Form, Payment Form & Custom Form Builder",6.4,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-04-09T18:58:34.949Z,0
CVE-2023-6133,https://securityvulnerability.io/vulnerability/CVE-2023-6133,,"The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. This makes it possible for authenticated attackers with administrator-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed.",wpmudev,"Forminator – Contact Form, Payment Form & Custom Form Builder",4.9,MEDIUM,0.0010499999625608325,false,false,false,false,,false,false,2023-11-15T07:15:00.000Z,0
CVE-2023-4596,https://securityvulnerability.io/vulnerability/CVE-2023-4596,,"The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.",wpmudev,"Forminator – Contact Form, Payment Form & Custom Form Builder",9.8,CRITICAL,0.27553999423980713,false,false,false,true,true,false,false,2023-08-30T02:15:00.000Z,0
CVE-2021-4417,https://securityvulnerability.io/vulnerability/CVE-2021-4417,,"The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.13.4. This is due to missing or incorrect nonce validation on the listen_for_saving_export_schedule() function. This makes it possible for unauthenticated attackers to export form submissions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",WPmudev,"Forminator – Contact Form, Payment Form & Custom Form Builder",5.4,MEDIUM,0.0020800000056624413,false,false,false,false,,false,false,2023-07-12T03:40:45.797Z,0