CVE-2026-5192: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in wpmudev Forminator Forms – Contact Form, Payment Form & Custom Form Builder
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 1.52.1 via the 'upload-1[file][file_path]' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Successful exploitation requires a publicly accessible form with a File Upload field where Save and Continue is enabled in that form's Behavior settings and the Save and Continue email notification is configured to attach uploaded files in Email Notifications.
AI Analysis
Technical Summary
The Forminator Forms plugin for WordPress versions up to 1.52.1 contains a CWE-22 path traversal vulnerability. An attacker can manipulate the 'upload-1[file][file_path]' parameter to traverse directories and read arbitrary files on the server without authentication. Successful exploitation depends on the presence of a publicly accessible form with a File Upload field that has the Save and Continue feature enabled and configured to attach uploaded files in email notifications. This vulnerability can lead to unauthorized disclosure of sensitive information stored on the server.
Potential Impact
An unauthenticated attacker can read arbitrary files on the affected server, potentially exposing sensitive information. This compromises confidentiality but does not affect integrity or availability. The vulnerability requires specific plugin configuration to be exploitable.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, administrators should consider disabling the Save and Continue feature on File Upload fields or avoid configuring email notifications to attach uploaded files to reduce exposure. Monitoring vendor channels for an official fix is recommended.
CVE-2026-5192: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in wpmudev Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Description
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 1.52.1 via the 'upload-1[file][file_path]' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Successful exploitation requires a publicly accessible form with a File Upload field where Save and Continue is enabled in that form's Behavior settings and the Save and Continue email notification is configured to attach uploaded files in Email Notifications.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Forminator Forms plugin for WordPress versions up to 1.52.1 contains a CWE-22 path traversal vulnerability. An attacker can manipulate the 'upload-1[file][file_path]' parameter to traverse directories and read arbitrary files on the server without authentication. Successful exploitation depends on the presence of a publicly accessible form with a File Upload field that has the Save and Continue feature enabled and configured to attach uploaded files in email notifications. This vulnerability can lead to unauthorized disclosure of sensitive information stored on the server.
Potential Impact
An unauthenticated attacker can read arbitrary files on the affected server, potentially exposing sensitive information. This compromises confidentiality but does not affect integrity or availability. The vulnerability requires specific plugin configuration to be exploitable.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, administrators should consider disabling the Save and Continue feature on File Upload fields or avoid configuring email notifications to attach uploaded files to reduce exposure. Monitoring vendor channels for an official fix is recommended.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-30T21:05:06.011Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f996efcbff5d8610d19722
Added to database: 5/5/2026, 7:06:23 AM
Last enriched: 5/5/2026, 7:21:19 AM
Last updated: 5/5/2026, 8:12:00 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.