CVE-2026-5192
Path Traversal in Forminator WordPress Plugin
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpform | forminator | to 1.52.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to read arbitrary files on the server, which can include sensitive information. Exposure of such sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information from unauthorized access.
Specifically, unauthorized disclosure of personal or protected health information due to this vulnerability could violate confidentiality requirements and lead to regulatory penalties.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the Forminator Forms plugin version 1.52.1 or earlier is installed and if a publicly accessible form with a File Upload field has the Save and Continue feature enabled along with Save and Continue email notifications configured to attach uploaded files.
Since the vulnerability exploits the 'upload-1[file][file_path]' parameter for path traversal, monitoring HTTP requests for unusual or suspicious values in this parameter can help detect exploitation attempts.
Specific commands or tools are not provided in the available resources, so manual inspection of plugin versions and form configurations is recommended.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Forminator Forms plugin to a version later than 1.52.1 where this vulnerability is fixed.
If updating is not immediately possible, disable the Save and Continue feature on forms with File Upload fields or disable the Save and Continue email notifications that attach uploaded files.
Additionally, restrict public access to forms with file upload fields until the vulnerability is addressed.
Can you explain this vulnerability to me?
The vulnerability exists in the Forminator Forms plugin for WordPress, specifically in versions up to and including 1.52.1. It is a Path Traversal vulnerability that occurs via the 'upload-1[file][file_path]' parameter.
This vulnerability allows unauthenticated attackers to read the contents of arbitrary files on the server. For the attack to succeed, the targeted form must be publicly accessible, include a File Upload field, have the 'Save and Continue' feature enabled in the form's Behavior settings, and have the Save and Continue email notification configured to attach uploaded files.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to read sensitive files on your server without authentication. These files may contain confidential or private information, which could lead to data exposure or leakage.