Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform Forminator forminator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Forminator: from n/a through <= 1.50.2.
AnalysisAI
Forminator through version 1.50.2 contains an authorization bypass that allows unauthenticated attackers to modify data through incorrectly configured access controls. The vulnerability affects WordPress sites using the WPMU DEV Forminator plugin and requires no user interaction to exploit. No patch is currently available for this issue.
Technical ContextAI
The vulnerability resides in the WPMU DEV Forminator WordPress plugin, a form-building and management extension identified by CPE string cpe:2.3:a:wpmu_dev:forminator. The root cause is classified under CWE-862 (Missing Authorization), which occurs when an application fails to properly verify user permissions before executing sensitive operations. WordPress plugins interact with the wp-admin and REST API endpoints; Forminator's authorization checks appear insufficient at one or more form submission, editing, or configuration endpoints. The plugin likely lacks proper capability checks via WordPress's is_user_logged_in() and current_user_can() functions, or the REST API endpoints do not validate nonces or user roles before processing form-related actions.
RemediationAI
Immediately upgrade WPMU DEV Forminator to version 1.50.3 or later, which addresses the authorization flaw. In WordPress Dashboard, navigate to Plugins > Installed Plugins, locate Forminator, and click Update if available; alternatively, download the patched version from wordpress.org/plugins/forminator and reinstall. Until patching is completed, temporarily restrict form submissions by disabling affected forms if they handle sensitive data, or implement an additional layer of WordPress role-based access control by limiting form visibility to authenticated users only via plugin settings. Verify that the plugin's capability checks align with WordPress security best practices by reviewing the changelog and security advisory from WPMU DEV. Conduct a security audit of any forms that were live during the vulnerable period to detect unauthorized modifications.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11926