Anhcd05

**Name of the Vulnerable Software and Affected Versions** Forminator Forms versions prior to 1.52.0 **Description** The `processRequest()` function in `Forminator Admin Module Edit Page` fails to verify if the current user possesses the `manage forminator modules` capability before executing sensitive module-management actions. These actions include exporting, deleting, cloning, deleting entries, and changing publish/draft status. The system relies solely on a nonce check using the `forminator form request` variable, which is available in the global `forminatorData` JavaScript object on all admin pages. Since the function is triggered during the `admin menu` action hook before page-level capability checks are enforced, authenticated attackers with low-privilege roles, such as subscribers, can craft POST requests to export internal configurations (including integration credentials and notification routing), delete modules, or remove all submissions and votes. **Recommendations** Update to a version later than 1.51.1.

**Name of the Vulnerable Software and Affected Versions** Forminator Forms versions prior to 1.53.1 **Description** The plugin contains a missing authorization flaw where the `listen for saving export schedule()` function in `library/class-export.php` fails to perform a capability check before saving scheduled export configurations. This allows authenticated attackers with subscriber-level access to configure a scheduled export job that sends all form submissions to an email address under their control, leading to the exfiltration of sensitive data. **Recommendations** Update the plugin to a version later than 1.53.0. As a temporary workaround, restrict access to the `listen for saving export schedule()` function to minimize the risk of exploitation.