CVE-2026-6214

EPSS 0.44%
Veröffentlicht 07.05.2026 04:16:35
Zuletzt bearbeitet 07.05.2026 14:00:05
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Forminator Forms <= 1.53.0 - Missing Authorization to Authenticated (Subscriber+) Scheduled Form Submission Export via forminator_export_entries Action on wp_loaded Hook

The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listen_for_saving_export_schedule() function in library/class-export.php failing to perform a capability check before saving the scheduled export configuration, unlike the parallel listen_for_csv_export() function which correctly verifies user permissions. This makes it possible for authenticated attackers with subscriber-level access to configure a scheduled export job that emails all form submissions to an attacker-controlled email address, resulting in sensitive data exfiltration.

Mögliche Gegenmaßnahme

Forminator Forms – Contact Form, Payment Form & Custom Form Builder: Update to version 1.53.0.1, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

CNA 1 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerwpmudev

≫

Produkt Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Default Statusunaffected

Version <= 1.53.0

Version 0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Version *-1.53.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.44%	0.349

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/classes/class-admin-l10n.php#L448

https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/library/class-export.php#L178

https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/classes/class-admin-l10n.php#L448

https://plugins.trac.wordpress.org/browser/forminator/trunk/library/class-export.php#L178

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3512045%40forminator%2Ftrunk&old=3510688%40forminator%2Ftrunk&sfp_email=&sfph_mail=

https://www.wordfence.com/threat-intel/vulnerabilities/id/d7b8d42c-bceb-456e-a682-358e8df831e3?source=cve

https://www.wordfence.com/threat-intel/vulnerabilities/id/d7b8d42c-bceb-456e-a682-358e8df831e3

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-6214

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-6214

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-6214

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-6214