CVE-2025-5341: 
WordPress vulnerability analysis and mitigation

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' and 'data-size' parameters in all versions up to, and including, 1.44.1 due to insufficient input sanitization and output escaping. This vulnerability was discovered and disclosed on June 5, 2025 (NVD).

The vulnerability exists in the plugin's form handling functionality where the 'id' and 'data-size' parameters are not properly sanitized before being stored and displayed. This makes it possible for authenticated attackers with Contributor-level access or above to inject arbitrary web scripts that will execute whenever a user accesses an affected page. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers to store malicious JavaScript code that executes in victims' browsers when they view affected pages. This could lead to cookie theft, session hijacking, or other client-side attacks targeting site visitors and administrators (NVD).

The vulnerability has been patched in version 1.44.2 of the Forminator plugin. Site administrators should update to this version immediately. The update includes security improvements specifically addressing this issue (WordPress Plugin).