CVE-2026-6214

Name of the Vulnerable Software and Affected Versions Forminator Forms versions prior to 1.53.1

Description The plugin contains a missing authorization flaw where the listen for saving export schedule() function in library/class-export.php fails to perform a capability check before saving scheduled export configurations. This allows authenticated attackers with subscriber-level access to configure a scheduled export job that sends all form submissions to an email address under their control, leading to the exfiltration of sensitive data.

Recommendations Update the plugin to a version later than 1.53.0. As a temporary workaround, restrict access to the listen for saving export schedule() function to minimize the risk of exploitation.