CVE-2026-6214

Published: Mag 07, 2026 Last Modified: Mag 07, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 6,5
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: none
Availability: none

Description

AI Translation Available

The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listen_for_saving_export_schedule() function in library/class-export.php failing to perform a capability check before saving the scheduled export configuration, unlike the parallel listen_for_csv_export() function which correctly verifies user permissions. This makes it possible for authenticated attackers with subscriber-level access to configure a scheduled export job that emails all form submissions to an attacker-controlled email address, resulting in sensitive data exfiltration.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0003
Percentile
0,1th
Updated

EPSS Score Trend (Last 2 Days)

862

Missing Authorization

Incomplete
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Access Control Availability
Potential Impacts:
Read Application Data Read Files Or Directories Modify Application Data Modify Files Or Directories Gain Privileges Or Assume Identity Bypass Protection Mechanism Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other)
Applicable Platforms
Technologies: AI/ML, Database Server, Not Technology-Specific, Web Server
Likelihood of Exploit: High
View CWE Details
https://plugins.trac.wordpress.org/browser/forminator/tags/…
https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/classes…
https://plugins.trac.wordpress.org/browser/forminator/tags/…
https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/library/class…
https://plugins.trac.wordpress.org/browser/forminator/trunk…
https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/classes/class…
https://plugins.trac.wordpress.org/browser/forminator/trunk…
https://plugins.trac.wordpress.org/browser/forminator/trunk/library/class-expor…
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfp…
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&ne…
https://www.wordfence.com/threat-intel/vulnerabilities/id/d…
https://www.wordfence.com/threat-intel/vulnerabilities/id/d7b8d42c-bceb-456e-a6…