Authorization Bypass Vulnerability in Forminator Forms Plugin for WordPress
CVE-2025-14782

5.3MEDIUM

Key Information:

Vendor

WordPress
Status
Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vendor
CVE Published:
9 January 2026

What is CVE-2025-14782?

The Forminator Forms plugin for WordPress is susceptible to an authorization bypass vulnerability due to inadequate checks in the 'listen_for_csv_export' function. As a result, authenticated users with access to the Forminator dashboard can exploit this weakness to export sensitive form submission data, including personally identifiable information. This vulnerability poses a significant risk as it allows unauthorized access to confidential data without proper verification of user permissions.

Affected Version(s)

Forminator Forms – Contact Form, Payment Form & Custom Form Builder * <= 1.49.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3423003/form...

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

M Indra Purnama
JSON
.