Forminator Forms Missing Authorization Vulnerability Allowing Sensitive Information Disclosure

A missing authorization vulnerability has been identified in the Forminator Forms plugin for WordPress, affecting versions through 1.51.1. The issue arises because the 'processRequest()' method in 'Forminator_Admin_Module_Edit_Page' dispatches sensitive module-management actions—such as export, delete, clone, and bulk status changes—after only a nonce check. This approach fails to verify whether the user has the 'manage_forminator_modules' capability. The nonce is automatically included in the global 'forminatorData' JavaScript object on every Forminator admin page, including Templates and Reports, which are accessible to users without module-management permissions. Exploitation is possible for authenticated users with subscriber-level access or custom low-privilege Forminator roles, allowing them to manipulate form configurations, delete entries, or alter module statuses.

Impact

Exploitation of this vulnerability could lead to unauthorized access and modification of form-related data, including the export of sensitive configuration details and the deletion of form entries or modules.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or a custom low-privilege Forminator role can send a POST request to the WordPress admin area. The request must include the 'forminator_form_request' nonce, which is available on all Forminator admin pages. The 'processRequest()' method will then execute the requested module-management action without proper authorization, allowing the user to export form data, delete entries, clone modules, or change publication statuses.

Remediation

Users are advised to update the Forminator Forms plugin to version 1.52 or later.