CVE-2026-6222
Deferred Deferred - Pending Action
Missing Authorization in Forminator WordPress Plugin

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: Wordfence

Description
The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the `processRequest()` method in `Forminator_Admin_Module_Edit_Page` (admin/abstracts/class-admin-module-edit-page.php) dispatching sensitive module-management actions β€” including export, delete, clone, delete-entries, publish/draft, and bulk variants β€” after only a nonce check, without ever verifying that the current user holds the `manage_forminator_modules` capability. The nonce used (`forminator_form_request`) is unconditionally embedded in the global `forminatorData` JavaScript object and localized on every Forminator admin page, including Templates and Reports pages accessible to users who explicitly lack module-management permissions. Because `processRequest()` is invoked during the `admin_menu` action hook β€” which fires before WordPress enforces page-level capability checks β€” a user whose Forminator role is restricted to Templates or Reports can craft a valid POST request targeting any published module and successfully trigger the vulnerable actions. This makes it possible for authenticated attackers with subscriber-level access (or any custom low-privilege Forminator role) to export the complete internal configuration of arbitrary forms/polls/quizzes (including notification routing, integration credentials, and conditional logic), delete modules, delete all submissions/votes, clone modules, or bulk-change publish/draft status.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-05-18
AI Q&A
2026-05-07
EPSS Evaluated
2026-05-11
NVD
CVE-2026-6222
EUVD
EUVD-2026-28235
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpforms forminator to 1.51.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows authenticated attackers with low-level access to export the complete internal configuration of arbitrary forms, including notification routing, integration credentials, and conditional logic. Such exposure of sensitive configuration data could lead to unauthorized access or disclosure of personal data managed by the forms.

Because the vulnerability enables unauthorized export and deletion of form data and configurations, it may lead to violations of data protection regulations such as GDPR or HIPAA, which require strict controls over access to personal and sensitive information.

Specifically, the lack of proper authorization checks could result in unauthorized data access or loss, undermining compliance with standards that mandate data confidentiality, integrity, and access control.


Can you explain this vulnerability to me?

The Forminator Forms plugin for WordPress has a vulnerability called Missing Authorization in versions up to and including 1.51.1. This occurs because the processRequest() method in the Forminator_Admin_Module_Edit_Page class performs sensitive module-management actions after only checking a nonce, without verifying if the user has the required manage_forminator_modules capability.

The nonce used is embedded in the global JavaScript object on every Forminator admin page, even pages accessible to users without module-management permissions. Since processRequest() is called early in the admin menu loading process, before WordPress enforces page-level capability checks, users with low privileges (like subscribers) can craft requests to perform actions such as exporting form configurations, deleting modules or entries, cloning modules, or changing publish status.


How can this vulnerability impact me? :

This vulnerability allows authenticated users with low privileges, such as subscriber-level access, to perform unauthorized actions on Forminator modules. They can export sensitive internal configurations including notification routing, integration credentials, and conditional logic.

  • Export complete internal configuration of arbitrary forms, polls, or quizzes.
  • Delete modules or all submissions and votes.
  • Clone modules.
  • Bulk-change the publish or draft status of modules.

These impacts can lead to data exposure, loss of data integrity, and unauthorized modification or deletion of form-related content.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart