OFFSITE.DARK
← Signals

Jun 29, 2026

2 min

Sploitus

  • wordpress
  • xss
  • cve-2026-2002
  • forminator

news

Forminator Stored XSS via form_name (CVE-2026-2002)

wp_kses_post runs before forminator_replace_variables — javascript: in form_name bypasses sanitization; CVSS 4.4.

Summary

CVE-2026-2002 is a stored cross-site scripting flaw in Forminator WordPress plugin ≤ 1.50.2 (CVSS 4.4). Root cause: wp_kses_post() sanitizes HTML field content before forminator_replace_variables() substitutes {form_name}, allowing a user with form-edit capability to place javascript: in form_name that survives into rendered output. typedefabcd1234ntd/CVE-2026-2002-poc demonstrates the bypass.

Key Findings

FindingDetail
CVECVE-2026-2002
Parameterform_name via variable replacement in HTML fields
AuthUsers with Edit Form privilege (can be delegated below admin)
VectorCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Logic bugSanitize-then-substitute ordering inversion

Attack Chain

Attacker edits form: HTML field contains <a href="{form_name}">
        ↓
form_name set to javascript:alert(1)
        ↓
wp_kses_post passes (no script tags in field yet)
        ↓
Variable replacement injects javascript: URL → XSS on view

Impact

Session hijack or admin actions in context of users viewing poisoned forms — severity limited by high-privilege prerequisite but notable as logic-order bug.

Mitigation

  1. Update Forminator past 1.50.2 when vendor fix available.
  2. Restrict form-management capability; CSP on wp-admin.
  3. Code review pattern: never substitute user variables after sanitization.

Related Signals

Sources

→ Source