Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable download endpoint (AV:N/AC:L/PR:N/UI:N) enabling arbitrary file read gives high confidentiality impact only, with no integrity or availability effect.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Forminator forminator allows Path Traversal.This issue affects Forminator: from n/a through <= 1.55.0.2.
Articles & Coverage 2
AnalysisAI
Arbitrary file download via path traversal in the Forminator WordPress plugin (WPMU DEV) affects all versions up to and including 1.55.0.2, letting remote unauthenticated attackers read files outside the intended directory (CVSS 7.5, confidentiality-only). The Patchstack reference characterizes this as an arbitrary file download flaw, meaning sensitive server files such as wp-config.php could be exfiltrated. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the vulnerable Forminator file-download/export handler is reachable - i.e., the plugin is installed and active on an internet-facing WordPress site running any version through 1.55.0.2. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates network-reachable, low-complexity, unauthenticated exploitation requiring no user interaction, which is a genuine priority profile for an internet-facing WordPress plugin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP request to the vulnerable Forminator file-download endpoint with a traversal payload in the path parameter (e.g., ../../../../wp-config.php) and retrieves the file contents in the response. Using the disclosed database credentials and authentication salts, the attacker then pivots to the WordPress database or forges sessions. … |
| Remediation | Upgrade Forminator to the first release above 1.55.0.2 (the fixed version is not specified in the provided data - confirm the exact patched build via the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/forminator/vulnerability/wordpress-forminator-plugin-1-55-0-2-arbitrary-file-download-vulnerability and the WPMU DEV changelog before deploying). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations using Forminator and immediately disable or remove the plugin. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Forminator
View allThe Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after
The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including
The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/ad
The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form field
The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a
The Forminator - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Reque
The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary
The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission s
The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high
The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to PHP Object
The Forminator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. Rated high s
Forminator prior to 1.29.3 contains a SQL injection vulnerability. Rated high severity (CVSS 7.2), this vulnerability is
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43427