← Signals
- wordpress
- xss
- cve-2026-2002
- forminator
news
Forminator Stored XSS via form_name (CVE-2026-2002)
wp_kses_post runs before forminator_replace_variables — javascript: in form_name bypasses sanitization; CVSS 4.4.
Summary
CVE-2026-2002 is a stored cross-site scripting flaw in Forminator WordPress plugin ≤ 1.50.2 (CVSS 4.4). Root cause: wp_kses_post() sanitizes HTML field content before forminator_replace_variables() substitutes {form_name}, allowing a user with form-edit capability to place javascript: in form_name that survives into rendered output. typedefabcd1234ntd/CVE-2026-2002-poc demonstrates the bypass.
Key Findings
| Finding | Detail |
|---|---|
| CVE | CVE-2026-2002 |
| Parameter | form_name via variable replacement in HTML fields |
| Auth | Users with Edit Form privilege (can be delegated below admin) |
| Vector | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N |
| Logic bug | Sanitize-then-substitute ordering inversion |
Attack Chain
Attacker edits form: HTML field contains <a href="{form_name}">
↓
form_name set to javascript:alert(1)
↓
wp_kses_post passes (no script tags in field yet)
↓
Variable replacement injects javascript: URL → XSS on view
Impact
Session hijack or admin actions in context of users viewing poisoned forms — severity limited by high-privilege prerequisite but notable as logic-order bug.
Mitigation
- Update Forminator past 1.50.2 when vendor fix available.
- Restrict form-management capability; CSP on wp-admin.
- Code review pattern: never substitute user variables after sanitization.