CVE-2026-6222

Name of the Vulnerable Software and Affected Versions Forminator Forms versions prior to 1.52.0

Description The processRequest() function in Forminator Admin Module Edit Page fails to verify if the current user possesses the manage forminator modules capability before executing sensitive module-management actions. These actions include exporting, deleting, cloning, deleting entries, and changing publish/draft status. The system relies solely on a nonce check using the forminator form request variable, which is available in the global forminatorData JavaScript object on all admin pages. Since the function is triggered during the admin menu action hook before page-level capability checks are enforced, authenticated attackers with low-privilege roles, such as subscribers, can craft POST requests to export internal configurations (including integration credentials and notification routing), delete modules, or remove all submissions and votes.

Recommendations Update to a version later than 1.51.1.