CVE-2026-2002

Name of the Vulnerable Software and Affected Versions Forminator Forms plugin for WordPress versions prior to 1.50.3

Description The Forminator Forms plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to inadequate input sanitization and output escaping in the form name parameter. Successful exploitation allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the compromised page. The plugin’s permission system, which allows administrators to grant form management access to lower-level users, could broaden the potential impact of this issue.

Recommendations Update the Forminator Forms plugin to version 1.50.3 or later.