What the vulnerability does
01Description
The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listen_for_saving_export_schedule() function in library/class-export.php failing to perform a capability check before saving the scheduled export configuration, unlike the parallel listen_for_csv_export() function which correctly verifies user permissions. This makes it possible for authenticated attackers with subscriber-level access to configure a scheduled export job that emails all form submissions to an attacker-controlled email address, resulting in sensitive data exfiltration.
Explanation of Vulnerability in Simple Terms
02Summary
Forminator Forms through version 1.53.0 fails to properly check user permissions before allowing access to sensitive form data. A logged-in user with low privileges can read form submissions and other data they should not have access to. The vulnerability requires a valid WordPress account but no special interaction from the victim.
What an attacker can do
03Attacker Capabilities
Read form submissions and sensitive data belonging to other users or forms.
Potential impact on your site
04Site Impact
Form data (submissions, user information) may be exposed to any logged-in user, not just authorized administrators.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress user account on the site.
Key dates
06Disclosure timeline
May 7, 2026
CVE published
May 7, 2026
Record updated