CVE-2024-3053
Published: April 11, 2026
Official Description
The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ forminator_form shortcode attribute in versions up to, and including, 1.29.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Risk Analysis
This vulnerability in the Forminator WordPress plugin allows authenticated attackers with contributor-level permissions or higher to inject malicious scripts. These scripts can execute when a user views an affected page, leading to potential compromise of user sessions or data. The flaw is confirmed to be actively exploited by CISA, indicating its critical nature.
This vulnerability is actively being exploited in the wild and is included in CISA's Known Exploited Vulnerabilities Catalog.
Update the Forminator plugin to a version beyond 1.29.2 to mitigate the stored cross-site scripting vulnerability.
Technical Analysis
CVE-2024-3053 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
CISA has added CVE-2024-3053 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.
Affected Vendors & Products
Exploit & PoC Resources
Quick Facts
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2024-3053 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts
- !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
- !Active exploitation confirmed — treat as P1