WordPress · Forminator Forms · CVE-2026-2002
**Name of the Vulnerable Software and Affected Versions**
Forminator Forms plugin for WordPress versions prior to 1.50.3
**Description**
The Forminator Forms plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to inadequate input sanitization and output escaping in the `form name` parameter. Successful exploitation allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the compromised page. The plugin’s permission system, which allows administrators to grant form management access to lower-level users, could broaden the potential impact of this issue.
**Recommendations**
Update the Forminator Forms plugin to version 1.50.3 or later.