Primary

Context

Formie Craft CMS Plugin Cross-Site Scripting Vulnerability in Email Notifications

Vulnerability

A cross-site scripting vulnerability has been identified in the Formie plugin for Craft CMS, affecting versions through 2.1.43. The issue allows for the injection of malicious code into the HTML content of email notifications, which is then rendered in the preview. This vulnerability requires access to the form's email notification settings. However, the issue does not occur when the email is delivered normally.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected malicious code is executed in the context of the user viewing the email preview.

Remediation

Users can upgrade to Formie version 2.1.44 or later to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

5.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

5.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Formie Craft CMS Plugin Cross-Site Scripting Vulnerability in Email Notifications

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating