Description
Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform Forminator forminator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Forminator: from n/a through <= 1.50.2.
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Plugin Functions
Action: Patch Now
AI Analysis

Impact

The vulnerability is described as a Missing Authorization issue in the WPMU DEV Forminator plugin. It allows attackers to exploit incorrectly configured access control security levels. As a result, unauthorized users can perform actions such as creating, editing, or deleting forms and accessing sensitive form data. This breaks confidentiality and integrity of site information and introduces potential for privilege escalation within the WordPress installation.

Affected Systems

All WordPress sites running the Forminator plugin version 1.50.2 or earlier are impacted. The affected product is WPMU DEV – Your All‑in‑One WordPress Platform: Forminator, which includes all legacy releases up to and including 1.50.2.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is Remote over the Web via crafted HTTP requests to the plugin’s administrative interfaces. Exploitation does not require local access and can lead to unauthorized data exposure or configuration changes if successful.

Generated by OpenCVE AI on March 19, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Forminator plugin to version 1.50.3 or later.
  • Restrict access to Forminator administrative pages to trusted administrators by modifying user roles or using a firewall rule.
  • Ensure the WordPress core and all other plugins are kept current with official releases.

Generated by OpenCVE AI on March 19, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpmu Dev - Your All-in-one Wordpress Platform
Wpmu Dev - Your All-in-one Wordpress Platform forminator
Vendors & Products Wordpress
Wordpress wordpress
Wpmu Dev - Your All-in-one Wordpress Platform
Wpmu Dev - Your All-in-one Wordpress Platform forminator

Sun, 15 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform Forminator forminator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Forminator: from n/a through <= 1.50.2.
Title WordPress Forminator plugin <= 1.50.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Wpmu Dev - Your All-in-one Wordpress Platform Forminator
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:11.842Z

Reserved: 2026-03-12T11:11:19.857Z

Link: CVE-2026-32409

cve-icon Vulnrichment

Updated: 2026-03-13T18:45:59.128Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:57.607

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32409

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:03:53Z

Weaknesses