Description
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with access to the Forminator dashboard, to export sensitive form submission data including personally identifiable information.
Published: 2026-01-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality breach via unauthorized CSV export
Action: Patch
AI Analysis

Impact

The Forminator Forms plugin for WordPress has an authorization bypass in all versions up to 1.49.1 through the listen_for_csv_export function. The plugin does not verify that the requesting user can export data, so any authenticated user who can access the Forminator dashboard can download CSV files containing sensitive form submissions, including personally identifiable information. This missing‑authorization flaw (CWE‑862) results in a confidentiality compromise of the data collected by the plugin.

Affected Systems

The vulnerability affects the Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin developed by WpMudev. All releases numbered 1.49.1 and earlier are susceptible. Any WordPress site that uses the plugin and grants dashboard access to users is at risk; updating to any version above 1.49.1 removes the flaw.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity and the EPSS value of less than 1 % suggests a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, and no public exploit has been disclosed. The attacker must first authenticate to the WordPress site and have dashboard access; once those conditions are satisfied, the CSV export can be invoked without additional privileges, allowing large volumes of data to be exfiltrated.

Generated by OpenCVE AI on April 27, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor website for a patch or security update that addresses the CSV export authorization bypass.
  • If an upgrade cannot be performed immediately, deny the listen_for_csv_export capability to all but trusted administrators using a role‑management plugin or custom code.
  • As a temporary protection, remove or disable the export feature via a custom snippet that hooks into the export function or by disabling the export option in the plugin settings.

Generated by OpenCVE AI on April 27, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpmudev
Wpmudev forminator Forms
Vendors & Products Wordpress
Wordpress wordpress
Wpmudev
Wpmudev forminator Forms

Fri, 09 Jan 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with access to the Forminator dashboard, to export sensitive form submission data including personally identifiable information.
Title Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.49.1 - Missing Authorization to Authenticated (Forminator User+) CSV Export
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpmudev Forminator Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:43:38.865Z

Reserved: 2025-12-16T13:20:01.928Z

Link: CVE-2025-14782

cve-icon Vulnrichment

Updated: 2026-01-09T18:21:29.099Z

cve-icon NVD

Status : Deferred

Published: 2026-01-09T07:16:01.537

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14782

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T21:45:14Z

Weaknesses