CVE-2025-3487: 
WordPress vulnerability analysis and mitigation

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'limit' parameter in versions up to and including 1.42.0. This vulnerability was disclosed on April 17, 2025 and affects the plugin's form builder functionality (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping of the 'limit' parameter in the form builder. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts that execute when users access affected pages. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers to inject malicious JavaScript code that executes in users' browsers when they view affected pages. This can lead to theft of sensitive information, session hijacking, or other client-side attacks against site visitors and administrators (NVD).

Users should update to a version newer than 1.42.0 when available. Until then, it is recommended to restrict access to the form builder functionality to only trusted administrators and review any existing forms for potential malicious scripts (NVD).