CVE-2026-6222: CWE-862 Missing Authorization in wpmudev Forminator Forms – Contact Form, Payment Form & Custom Form Builder
CVE-2026-6222 is a missing authorization vulnerability in the Forminator Forms WordPress plugin versions up to 1. 51. 1. It allows authenticated users with low privileges, such as subscribers, to perform sensitive module-management actions without proper capability checks. These actions include exporting form configurations, deleting modules or submissions, cloning modules, and changing publish status. The vulnerability arises because the plugin only verifies a nonce but does not check if the user has the 'manage_forminator_modules' capability. This flaw is exploitable due to the nonce being accessible on admin pages even to users without module-management permissions and the vulnerable code executing before WordPress enforces page-level capability checks.
AI Analysis
Technical Summary
The Forminator Forms plugin for WordPress contains a missing authorization vulnerability (CWE-862) in its `processRequest()` method within the `Forminator_Admin_Module_Edit_Page` class. This method dispatches sensitive actions such as export, delete, clone, and publish/draft changes after verifying only a nonce (`forminator_form_request`) without confirming the user's capability to manage modules. The nonce is globally exposed on all Forminator admin pages, including those accessible to low-privilege users. Because `processRequest()` runs during the `admin_menu` hook, which occurs before WordPress enforces page-level capability checks, authenticated users with minimal privileges can craft POST requests to perform unauthorized actions on any published module. This leads to unauthorized export of internal configurations (including sensitive integration credentials), deletion of modules and entries, cloning, and bulk status changes.
Potential Impact
An attacker with authenticated low-level access (e.g., subscriber role) can exploit this vulnerability to export sensitive internal configurations of forms, including notification routing and integration credentials, delete modules and all form submissions, clone modules, and change their publish status. This compromises confidentiality of sensitive data and integrity of form modules but does not affect availability or allow privilege escalation beyond these actions. The CVSS 3.1 base score is 5.3 (medium severity), reflecting network attack vector, high complexity, low privileges required, no user interaction, and high confidentiality impact.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or vendor advisory is provided in the available data. Users should monitor the vendor's official channels for updates and apply any forthcoming patches promptly. Until a fix is available, restrict access to the Forminator plugin admin pages to trusted users only and consider disabling or limiting the plugin's use where possible. Avoid granting unnecessary roles or permissions to low-privilege users. Do not rely solely on the nonce for authorization as it is insufficient in this case.
CVE-2026-6222: CWE-862 Missing Authorization in wpmudev Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Description
CVE-2026-6222 is a missing authorization vulnerability in the Forminator Forms WordPress plugin versions up to 1. 51. 1. It allows authenticated users with low privileges, such as subscribers, to perform sensitive module-management actions without proper capability checks. These actions include exporting form configurations, deleting modules or submissions, cloning modules, and changing publish status. The vulnerability arises because the plugin only verifies a nonce but does not check if the user has the 'manage_forminator_modules' capability. This flaw is exploitable due to the nonce being accessible on admin pages even to users without module-management permissions and the vulnerable code executing before WordPress enforces page-level capability checks.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Forminator Forms plugin for WordPress contains a missing authorization vulnerability (CWE-862) in its `processRequest()` method within the `Forminator_Admin_Module_Edit_Page` class. This method dispatches sensitive actions such as export, delete, clone, and publish/draft changes after verifying only a nonce (`forminator_form_request`) without confirming the user's capability to manage modules. The nonce is globally exposed on all Forminator admin pages, including those accessible to low-privilege users. Because `processRequest()` runs during the `admin_menu` hook, which occurs before WordPress enforces page-level capability checks, authenticated users with minimal privileges can craft POST requests to perform unauthorized actions on any published module. This leads to unauthorized export of internal configurations (including sensitive integration credentials), deletion of modules and entries, cloning, and bulk status changes.
Potential Impact
An attacker with authenticated low-level access (e.g., subscriber role) can exploit this vulnerability to export sensitive internal configurations of forms, including notification routing and integration credentials, delete modules and all form submissions, clone modules, and change their publish status. This compromises confidentiality of sensitive data and integrity of form modules but does not affect availability or allow privilege escalation beyond these actions. The CVSS 3.1 base score is 5.3 (medium severity), reflecting network attack vector, high complexity, low privileges required, no user interaction, and high confidentiality impact.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or vendor advisory is provided in the available data. Users should monitor the vendor's official channels for updates and apply any forthcoming patches promptly. Until a fix is available, restrict access to the Forminator plugin admin pages to trusted users only and consider disabling or limiting the plugin's use where possible. Avoid granting unnecessary roles or permissions to low-privilege users. Do not rely solely on the nonce for authorization as it is insufficient in this case.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-13T13:36:22.720Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fbfaa7cbff5d8610569fa5
Added to database: 5/7/2026, 2:36:23 AM
Last enriched: 5/7/2026, 2:51:24 AM
Last updated: 5/7/2026, 3:51:55 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.