Missing Authorization Issue in Forminator Forms Plugin for WordPress
CVE-2026-6222

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-6222?

The Forminator Forms plugin for WordPress is susceptible to unauthorized actions due to inadequate user capability checks. It permits authenticated users with limited privileges, such as subscribers, to execute critical module-management functions like exporting configurations, deleting modules or submissions, and altering status for published content. The flaw arises from the improper handling of nonce validation in the processRequest() method of the Forminator_Admin_Module_Edit_Page class, allowing users with restricted access to manipulate sensitive data through crafted requests. Proper authorization checks are essential to ensure that users can only perform actions they are permitted to.

Affected Version(s)

Forminator Forms – Contact Form, Payment Form & Custom Form Builder 0 <= 1.51.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/forminator/tru...

https://plugins.trac.wordpress.org/browser/forminator/tag...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 13, 2026

Credit

Chu Duc Anh

CVE-2026-6222 Data

JSON