CVE-2026-6222 MEDIUM

CVE-2026-6222: Forminator Forms <= 1.51.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'forminator_action' Parameter

Vendor Wpmudev
Product Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Weakness CWE-862 · Missing authorization
Published May 7, 2026
Last update May 7, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the `processRequest()` method in `Forminator_Admin_Module_Edit_Page` (admin/abstracts/class-admin-module-edit-page.php) dispatching sensitive module-management actions — including export, delete, clone, delete-entries, publish/draft, and bulk variants — after only a nonce check, without ever verifying that the current user holds the `manage_forminator_modules` capability. The nonce used (`forminator_form_request`) is unconditionally embedded in the global `forminatorData` JavaScript object and localized on every Forminator admin page, including Templates and Reports pages accessible to users who explicitly lack module-management permissions. Because `processRequest()` is invoked during the `admin_menu` action hook — which fires before WordPress enforces page-level capability checks — a user whose Forminator role is restricted to Templates or Reports can craft a valid POST request targeting any published module and successfully trigger the vulnerable actions. This makes it possible for authenticated attackers with subscriber-level access (or any custom low-privilege Forminator role) to export the complete internal configuration of arbitrary forms/polls/quizzes (including notification routing, integration credentials, and conditional logic), delete modules, delete all submissions/votes, clone modules, or bulk-change publish/draft status.

Explanation of Vulnerability in Simple Terms

02Summary

Forminator Forms contains an authorization flaw that allows authenticated users with low privileges to read sensitive data they should not access. The vulnerability requires network access and some attack complexity, but does not require user interaction. It affects all versions up to 1.51.1. No integrity or availability impact occurs.

What an attacker can do

03Attacker Capabilities

Read sensitive data from the form builder that should be restricted to higher-privilege users.

Potential impact on your site

04Site Impact

Authenticated users can view confidential form data, settings, or submissions they should not access.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account on the WordPress site; network access required.

Key dates

06Disclosure timeline

May 7, 2026 CVE published
May 7, 2026 Record updated