CVE-2026-6214 MEDIUM

CVE-2026-6214: Forminator Forms <= 1.53.0 - Missing Authorization to Authenticated (Subscriber+) Scheduled Form Submission Export via forminator_export_entries Action on wp_loaded Hook

Vendor Wpmudev
Product Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Weakness CWE-862 · Missing authorization
Published May 7, 2026
Last update May 7, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listen_for_saving_export_schedule() function in library/class-export.php failing to perform a capability check before saving the scheduled export configuration, unlike the parallel listen_for_csv_export() function which correctly verifies user permissions. This makes it possible for authenticated attackers with subscriber-level access to configure a scheduled export job that emails all form submissions to an attacker-controlled email address, resulting in sensitive data exfiltration.

Explanation of Vulnerability in Simple Terms

02Summary

Forminator Forms through version 1.53.0 fails to properly check user permissions before allowing access to sensitive form data. A logged-in user with low privileges can read form submissions and other data they should not have access to. The vulnerability requires a valid WordPress account but no special interaction from the victim.

What an attacker can do

03Attacker Capabilities

Read form submissions and sensitive data belonging to other users or forms.

Potential impact on your site

04Site Impact

Form data (submissions, user information) may be exposed to any logged-in user, not just authorized administrators.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WordPress user account on the site.

Key dates

06Disclosure timeline

May 7, 2026 CVE published
May 7, 2026 Record updated