CVE-2021-4417
published 2023-07-12CVE-2021-4417: The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and…
PriorityP417medium4.3CVSS 3.1
AVNACLPRNUIRSUCLINAN
EPSS
0.36%
27.9th percentile
The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.13.4. This is due to missing or incorrect nonce validation on the listen_for_saving_export_schedule() function. This makes it possible for unauthenticated attackers to export form submissions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| incsub | forminator | < 1.13.5 | 1.13.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Forminator Plugin up to 1.13.4 on WordPress listen_for_saving_export_schedule cross-site request forgery (ID 2368977)
vuldb·2026-04-10·CVSS 5.4
CVE-2021-4417 [MEDIUM] Forminator Plugin up to 1.13.4 on WordPress listen_for_saving_export_schedule cross-site request forgery (ID 2368977)
A vulnerability has been found in Forminator Plugin up to 1.13.4 on WordPress and classified as problematic. This vulnerability affects the function listen_for_saving_export_schedule. Performing a manipulation results in cross-site request forgery.
This vulnerability is known as CVE-2021-4417. Remote exploitation of the attack is possible. No exploit is available.
GHSA
GHSA-wpm5-fh4f-wr9q: The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to,
ghsa_unreviewed·2023-07-12
CVE-2021-4417 [MEDIUM] CWE-352 GHSA-wpm5-fh4f-wr9q: The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to,
The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.13.4. This is due to missing or incorrect nonce validation on the listen_for_saving_export_schedule() function. This makes it possible for unauthenticated attackers to export form submissions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/https://plugins.trac.wordpress.org/changeset/2368977/forminator/trunk/library/class-export.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/cdee0cd8-b83b-4436-aebe-533f5af03ef1?source=cvehttps://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/https://plugins.trac.wordpress.org/changeset/2368977/forminator/trunk/library/class-export.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/cdee0cd8-b83b-4436-aebe-533f5af03ef1?source=cve
2023-07-12
Published