CVE-2026-6214
BaseFortify
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpforms | forminator_forms | to 1.53.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to sensitive data exfiltration by unauthorized users. Attackers with low-level access can configure the plugin to email all form submissions to themselves.
As a result, confidential or personal information collected via forms can be leaked, potentially causing privacy breaches and data loss.
Can you explain this vulnerability to me?
The vulnerability exists in the Forminator Forms plugin for WordPress, specifically in versions up to and including 1.53.0. It is caused by the listen_for_saving_export_schedule() function failing to check user permissions before saving scheduled export configurations.
Because of this missing authorization check, authenticated users with only subscriber-level access can configure scheduled export jobs that send all form submissions to an attacker-controlled email address.
This flaw allows attackers to exfiltrate sensitive data submitted through forms without proper authorization.