CVE-2026-5192

Name of the Vulnerable Software and Affected Versions Forminator Forms – Contact Form, Payment Form & Custom Form Builder versions prior to 1.52.2

Description A Path Traversal issue exists in the Forminator Forms plugin for WordPress. Unauthenticated attackers can read arbitrary files on the server, potentially exposing sensitive information, by manipulating the upload-1[file][file path] parameter. This exploitation is possible if a publicly accessible form has a File Upload field with the Save and Continue feature enabled in the Behavior settings, and the corresponding email notification is configured to attach uploaded files.

Recommendations Update the plugin to a version later than 1.52.1. As a temporary mitigation, disable the Save and Continue feature in the Behavior settings of forms containing File Upload fields or disable the attachment of uploaded files in Email Notifications.