Primary

Context

Forminator Forms WordPress Plugin Authorization Bypass Vulnerability Allowing CSV Export of Sensitive Data

Vulnerability

Patched

A vulnerability exists in the Forminator Forms WordPress plugin, specifically in versions up to and including 1.49.1. The issue arises from an authorization bypass in the 'listen_for_csv_export' function, where the plugin fails to properly verify user permissions. This flaw enables authenticated users with access to the Forminator dashboard to export sensitive form submission data, including personally identifiable information.

Impact

Exploitation of this vulnerability allows for unauthorized export of form submission data, including personally identifiable information, by authenticated users with access to the Forminator dashboard.

Remediation

Users are advised to update the Forminator Forms plugin to version 1.49.2 or a newer patched version.

Added: Jan 9, 2026, 7:26 AM

Updated: Jan 9, 2026, 7:26 AM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

6.1

remediation

7.7

relevance

1.9

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

6.1

remediation

7.7

relevance

1.9

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Forminator Forms WordPress Plugin Authorization Bypass Vulnerability Allowing CSV Export of Sensitive Data

Vulnerability

Impact

Remediation

Affected Products

Forminator Forms

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating