We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder (CVE-2026-2002)

Nick Paliughi
On this page

Security Alert Summary

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the form_name parameter. Insufficient input sanitization and output escaping allow authenticated attackers with administrator-level access to inject scripts that execute when an injected page is viewed. Because the plugin can grant form management permissions to lower-level users, the issue may also be exploitable by users with reduced privileges if those permissions are granted.

CVE Details

  • CVE ID: CVE-2026-2002
  • Affected component: The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress
  • Affected versions: All versions up to, and including, 1.50.2
  • Published: February 17, 2026 at 5:16:17 AM UTC
  • Last modified: February 17, 2026 at 5:16:17 AM UTC
  • CVSS v3.1: Base score 4.4, MEDIUM
    • Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
    • Attack Vector: NETWORK
    • Attack Complexity: HIGH
    • Privileges Required: HIGH
    • User Interaction: NONE
    • Scope: CHANGED
    • Confidentiality Impact: LOW
    • Integrity Impact: LOW
    • Availability Impact: NONE
  • Authentication / Privileges / User interaction: Requires an authenticated user with high privileges (PR:H). No user interaction is required (UI:N).
  • Primary impact: Stored cross-site scripting leading to limited confidentiality and integrity impacts (as noted above); availability is not impacted.
  • CWE / Weakness: CWE-79 (Cross-site Scripting)
  • Fixed version: Not specified in the CVE entry
  • Exploit status: Not specified in the CVE entry

Technical Details

The vulnerability is a stored cross-site scripting (XSS) issue caused by insufficient input sanitization and output escaping for the form_name parameter in the plugin. When an attacker with the required privileges supplies crafted input for form_name, that input can be stored by the plugin and later rendered into pages without proper escaping. Any scripts included in the stored value will execute in the context of users who view the injected page.

The CVE description specifies that authenticated attackers with administrator-level access can perform the injection. It also notes that the plugin allows administrators to grant form management permissions to lower-level users (for example, subscribers), which could expand the set of users able to inject stored content if those permissions are assigned. The entry does not name specific PHP functions, hooks, or REST endpoints involved.

How This Could Impact Your Website

Consider a site with an owner, internal staff, and an external contractor who manages forms. If an account with form management permissions inserts a malicious value into the form_name field, that value may be stored and later rendered on a page where other users—such as staff or site administrators—visit. When those users load the affected page, injected scripts could run in their browsers. Practical consequences may include disclosure of low-sensitivity data visible to the page, session-related actions taken in the context of an affected user, or UI manipulation that facilitates targeted phishing or social engineering.

Because the CVSS impact is limited to confidentiality and integrity at low levels, this vulnerability does not, based on the provided details, imply full site takeover. However, the ability to execute script in another user’s browser increases the risk of targeted attacks on staff or contributors, and could expose information such as internal user email addresses or enable actions performed in a user’s browser session. professional review If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles and capabilities, especially form management permissions granted to lower-privileged accounts.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins.
  • Monitor site activity and logs for unusual behavior or unexpected changes to forms and pages.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: Kadence Blocks — Page Builder Toolkit for Gutenberg Editor (CVE-2026-2608)
Next Post
WordPress Security Bulletin: Filestack Plugin Vulnerability (CVE-2025-13959)