Skip to main content

Forminator EUVDEUVD-2026-43427

| CVE-2026-57815 HIGH
Path Traversal (CWE-22)
2026-07-13 Patchstack
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable download endpoint (AV:N/AC:L/PR:N/UI:N) enabling arbitrary file read gives high confidentiality impact only, with no integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:23 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.5

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Forminator forminator allows Path Traversal.This issue affects Forminator: from n/a through <= 1.55.0.2.

AnalysisAI

Arbitrary file download via path traversal in the Forminator WordPress plugin (WPMU DEV) affects all versions up to and including 1.55.0.2, letting remote unauthenticated attackers read files outside the intended directory (CVSS 7.5, confidentiality-only). The Patchstack reference characterizes this as an arbitrary file download flaw, meaning sensitive server files such as wp-config.php could be exfiltrated. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running Forminator ≤1.55.0.2
Delivery
Send request with ../ traversal to download endpoint
Exploit
Bypass directory restriction
Execution
Read arbitrary server file
Impact
Exfiltrate wp-config.php credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires that the vulnerable Forminator file-download/export handler is reachable - i.e., the plugin is installed and active on an internet-facing WordPress site running any version through 1.55.0.2. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates network-reachable, low-complexity, unauthenticated exploitation requiring no user interaction, which is a genuine priority profile for an internet-facing WordPress plugin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP request to the vulnerable Forminator file-download endpoint with a traversal payload in the path parameter (e.g., ../../../../wp-config.php) and retrieves the file contents in the response. Using the disclosed database credentials and authentication salts, the attacker then pivots to the WordPress database or forges sessions. …
Remediation Upgrade Forminator to the first release above 1.55.0.2 (the fixed version is not specified in the provided data - confirm the exact patched build via the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/forminator/vulnerability/wordpress-forminator-plugin-1-55-0-2-arbitrary-file-download-vulnerability and the WPMU DEV changelog before deploying). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations using Forminator and immediately disable or remove the plugin. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-4596 CRITICAL POC
9.8 Aug 30

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after

CVE-2024-7389 HIGH POC
7.5 Aug 02

The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including

CVE-2019-9568 MEDIUM POC
6.5 Mar 04

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/ad

CVE-2023-3134 MEDIUM POC
6.1 Jul 31

The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form field

CVE-2019-9567 MEDIUM POC
6.1 Mar 04

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a

CVE-2021-4417 MEDIUM POC
5.4 Jul 12

The Forminator - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Reque

CVE-2025-6463 HIGH
8.8 Jul 02

The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary

CVE-2023-5119 MEDIUM POC
4.8 Nov 20

The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission s

CVE-2021-24700 MEDIUM POC
4.8 Nov 23

The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high

CVE-2025-6464 HIGH
7.5 Jul 02

The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to PHP Object

CVE-2024-1794 HIGH
7.2 Apr 09

The Forminator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. Rated high s

CVE-2024-31077 HIGH
7.2 Apr 23

Forminator prior to 1.29.3 contains a SQL injection vulnerability. Rated high severity (CVSS 7.2), this vulnerability is

Share

EUVD-2026-43427 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy