CVE-2026-5192 - Vulnerability Details

Description

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 1.52.1 via the 'upload-1[file][file_path]' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Successful exploitation requires a publicly accessible form with a File Upload field where Save and Continue is enabled in that form's Behavior settings and the Save and Continue email notification is configured to attach uploaded files in Email Notifications.

Published: 2026-05-05

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an attacker to send a crafted file path via the upload-1[file][file_path] parameter. When a form has the Save and Continue feature enabled and email notifications are set to attach uploaded files, the plugin can expose the contents of any file that the web server process can read. This results in unauthorized disclosure of sensitive data without granting code execution or modifying system integrity.

Affected Systems

WordPress sites running Forminator Forms plugin version 1.52.1 or earlier are affected. Any site with a publicly reachable form that includes a File Upload field, has the Save and Continue option enabled, and the email notification configured to attach uploaded files is vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high confidentiality risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is straightforward and requires no authentication, making it likely that an exposed site can be exploited by anyone who can submit a form.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wpmudev

Forminator Forms – Contact Form, Payment Form & Custom Form Builder

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.52.1

No data.

Vendor Product Confidence Versions

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Wpmudev

Forminator Forms – Contact Form, Payment Form & Custom Form Builder

100%

Version	Status	Scheme	Platform
`[0,1.52.1]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Forminator Forms to the latest version (at least 1.52.2).
Disable the File Upload field or the Save and Continue feature on all publicly accessible forms until a patched version is in place.
Configure web application firewall or server rules to block requests containing traversal patterns such as '..' or '../../../' in the upload-1[file][file_path] parameter, and monitor for such attempts.

Generated by OpenCVE AI on May 5, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3500671/forminator
https://www.wordfence.com/threat-intel/vulnerabilities/id/788422c4-e070-48aa-a85d-a5d5a25a6a1d?source=cve

History

Tue, 05 May 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress Wpmudev Wpmudev forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vendors & Products		Wordpress Wordpress wordpress Wpmudev Wpmudev forminator Forms – Contact Form, Payment Form & Custom Form Builder

Tue, 05 May 2026 07:00:00 +0000

Type	Values Removed	Values Added
Description		The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 1.52.1 via the 'upload-1[file][file_path]' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Successful exploitation requires a publicly accessible form with a File Upload field where Save and Continue is enabled in that form's Behavior settings and the Save and Continue email notification is configured to attach uploaded files in Email Notifications.
Title		Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.52.1 - Unauthenticated Arbitrary File Read via 'upload-1[file][file_path]'
Weaknesses		CWE-22
References		https://plugins.trac.wordpress.org/changeset/3500671/forminator https://www.wordfence.com/threat-intel/vulnerabilities/id/788422c4-e070-48aa-a85d-a5d5a25a6a1d?source=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Wordpress Wordpress

Wpmudev Forminator Forms – Contact Form, Payment Form & Custom Form Builder

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-05T06:43:30.712Z

Updated: 2026-05-05T06:43:30.712Z

Reserved: 2026-03-30T21:05:06.011Z

Link: CVE-2026-5192

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-05T07:16:00.643

Modified: 2026-05-05T07:16:00.643

Link: CVE-2026-5192

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-05T08:30:20Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object