Description
The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the `processRequest()` method in `Forminator_Admin_Module_Edit_Page` (admin/abstracts/class-admin-module-edit-page.php) dispatching sensitive module-management actions — including export, delete, clone, delete-entries, publish/draft, and bulk variants — after only a nonce check, without ever verifying that the current user holds the `manage_forminator_modules` capability. The nonce used (`forminator_form_request`) is unconditionally embedded in the global `forminatorData` JavaScript object and localized on every Forminator admin page, including Templates and Reports pages accessible to users who explicitly lack module-management permissions. Because `processRequest()` is invoked during the `admin_menu` action hook — which fires before WordPress enforces page-level capability checks — a user whose Forminator role is restricted to Templates or Reports can craft a valid POST request targeting any published module and successfully trigger the vulnerable actions. This makes it possible for authenticated attackers with subscriber-level access (or any custom low-privilege Forminator role) to export the complete internal configuration of arbitrary forms/polls/quizzes (including notification routing, integration credentials, and conditional logic), delete modules, delete all submissions/votes, clone modules, or bulk-change publish/draft status.
Published: 2026-05-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Forminator Forms plugin processes module-management actions after only validating a nonce, without checking the user’s capability. This allows an attacker who can log into WordPress but only has low-privilege Forminator roles (e.g., Subscriber) to craft authenticated requests that export, delete, clone, or otherwise alter form modules, exposing configuration data such as notification routes, integration credentials, and conditional logic.

Affected Systems

Forminator Forms, a WordPress plugin provided by wpmudev, is affected in all releases up to and including 1.51.1. Users running version 1.51.1 or earlier are at risk; newer releases (e.g., 1.52 and beyond) contain a fix that enforces the required capability check.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. Because the flaw requires only an authenticated user with a low privilege role, the likelihood of exploitation is high in environments where such roles are commonly granted. The vulnerability is not recorded in CISA KEV and no EPSS score is available. An attacker can craft a POST request containing a valid nonce and the 'forminator_action' parameter, which is exposed on all Forminator admin pages, to trigger the vulnerable actions before WordPress performs capability checks during the admin_menu hook.

Generated by OpenCVE AI on May 7, 2026 at 03:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Forminator Forms plugin to version 1.52 or later to eliminate the missing authorization flaw.
  • If an upgrade is not feasible immediately, implement a temporary workaround by adding a pre‑hook that verifies the 'manage_forminator_modules' capability before any Forminator admin action is processed, effectively blocking low‑privilege users from executing module‑management requests.
  • Modify role definitions or use a role‑management plugin to prevent users with Subscriber or similar low‑privilege Forminator roles from accessing any Forminator admin screens that expose the vulnerable 'forminator_action' endpoint.

Generated by OpenCVE AI on May 7, 2026 at 03:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpmudev
Wpmudev forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vendors & Products Wordpress
Wordpress wordpress
Wpmudev
Wpmudev forminator Forms – Contact Form, Payment Form & Custom Form Builder

Thu, 07 May 2026 02:00:00 +0000

Type Values Removed Values Added
Description The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the `processRequest()` method in `Forminator_Admin_Module_Edit_Page` (admin/abstracts/class-admin-module-edit-page.php) dispatching sensitive module-management actions — including export, delete, clone, delete-entries, publish/draft, and bulk variants — after only a nonce check, without ever verifying that the current user holds the `manage_forminator_modules` capability. The nonce used (`forminator_form_request`) is unconditionally embedded in the global `forminatorData` JavaScript object and localized on every Forminator admin page, including Templates and Reports pages accessible to users who explicitly lack module-management permissions. Because `processRequest()` is invoked during the `admin_menu` action hook — which fires before WordPress enforces page-level capability checks — a user whose Forminator role is restricted to Templates or Reports can craft a valid POST request targeting any published module and successfully trigger the vulnerable actions. This makes it possible for authenticated attackers with subscriber-level access (or any custom low-privilege Forminator role) to export the complete internal configuration of arbitrary forms/polls/quizzes (including notification routing, integration credentials, and conditional logic), delete modules, delete all submissions/votes, clone modules, or bulk-change publish/draft status.
Title Forminator Forms <= 1.51.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'forminator_action' Parameter
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpmudev Forminator Forms – Contact Form, Payment Form & Custom Form Builder
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-07T15:52:44.953Z

Reserved: 2026-04-13T13:36:22.720Z

Link: CVE-2026-6222

cve-icon Vulnrichment

Updated: 2026-05-07T15:52:09.442Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T02:16:37.920

Modified: 2026-05-07T14:00:05.650

Link: CVE-2026-6222

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T04:00:14Z

Weaknesses