CVE-2026-5192
Deferred Deferred - Pending Action
Path Traversal in Forminator WordPress Plugin

Publication date: 2026-05-05

Last updated on: 2026-05-05

Assigner: Wordfence

Description
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 1.52.1 via the 'upload-1[file][file_path]' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Successful exploitation requires a publicly accessible form with a File Upload field where Save and Continue is enabled in that form's Behavior settings and the Save and Continue email notification is configured to attach uploaded files in Email Notifications.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5192
EUVD
EUVD-2026-27229
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpform forminator to 1.52.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthenticated attackers to read arbitrary files on the server, which can include sensitive information. Exposure of such sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information from unauthorized access.

Specifically, unauthorized disclosure of personal or protected health information due to this vulnerability could violate confidentiality requirements and lead to regulatory penalties.

Detection Guidance

Detection of this vulnerability involves identifying if the Forminator Forms plugin version 1.52.1 or earlier is installed and if a publicly accessible form with a File Upload field has the Save and Continue feature enabled along with Save and Continue email notifications configured to attach uploaded files.

Since the vulnerability exploits the 'upload-1[file][file_path]' parameter for path traversal, monitoring HTTP requests for unusual or suspicious values in this parameter can help detect exploitation attempts.

Specific commands or tools are not provided in the available resources, so manual inspection of plugin versions and form configurations is recommended.

Mitigation Strategies

Immediate mitigation steps include updating the Forminator Forms plugin to a version later than 1.52.1 where this vulnerability is fixed.

If updating is not immediately possible, disable the Save and Continue feature on forms with File Upload fields or disable the Save and Continue email notifications that attach uploaded files.

Additionally, restrict public access to forms with file upload fields until the vulnerability is addressed.

Executive Summary

The vulnerability exists in the Forminator Forms plugin for WordPress, specifically in versions up to and including 1.52.1. It is a Path Traversal vulnerability that occurs via the 'upload-1[file][file_path]' parameter.

This vulnerability allows unauthenticated attackers to read the contents of arbitrary files on the server. For the attack to succeed, the targeted form must be publicly accessible, include a File Upload field, have the 'Save and Continue' feature enabled in the form's Behavior settings, and have the Save and Continue email notification configured to attach uploaded files.

Impact Analysis

This vulnerability can impact you by allowing attackers to read sensitive files on your server without authentication. These files may contain confidential or private information, which could lead to data exposure or leakage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5192. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart