CVE-2025-0469: 
WordPress vulnerability analysis and mitigation

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-0469) discovered in versions up to and including 1.39.2. The vulnerability was disclosed on February 27, 2025, and affects the slider template data functionality of the plugin (NVD CVE).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue that stems from insufficient input sanitization and output escaping in the slider template data. The CVSS v3.1 base score is rated as 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N according to NVD, while Wordfence assessed it at 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD CVE).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to data theft, session hijacking, or other client-side attacks (NVD CVE).

Users should upgrade to versions after 1.39.2 of the Forminator Forms plugin to address this vulnerability. The fix involves proper input sanitization and output escaping of the slider template data (NVD CVE).