The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the `processRequest()` method in `Forminator_Admin_Module_Edit_Page` (admin/abstracts/class-admin-module-edit-page.php) dispatching sensitive module-management actions — including export, delete, clone, delete-entries, publish/draft, and bulk variants — after only a nonce check, without ever verifying that the current user holds the `manage_forminator_modules` capability. The nonce used (`forminator_form_request`) is unconditionally embedded in the global `forminatorData` JavaScript object and localized on every Forminator admin page, including Templates and Reports pages accessible to users who explicitly lack module-management permissions. Because `processRequest()` is invoked during the `admin_menu` action hook — which fires before WordPress enforces page-level capability checks — a user whose Forminator role is restricted to Templates or Reports can craft a valid POST request targeting any published module and successfully trigger the vulnerable actions. This makes it possible for authenticated attackers with subscriber-level access (or any custom low-privilege Forminator role) to export the complete internal configuration of arbitrary forms/polls/quizzes (including notification routing, integration credentials, and conditional logic), delete modules, delete all submissions/votes, clone modules, or bulk-change publish/draft status.
The Forminator Forms WordPress plugin versions up to 1.51.1 lack proper authorization checks in the processRequest() method, allowing users without manage_forminator_modules capability to perform sensitive actions like export, delete, and clone forms using only a nonce. This vulnerability could enable unauthorized users to manipulate form data and configurations.
مكون Forminator Forms الخاص بـ WordPress يحتوي على ثغرة في التفويض تسمح للمستخدمين غير المصرح لهم بتنفيذ إجراءات حساسة مثل التصدير والحذف والاستنساخ للنماذج. تحدث الثغرة لأن الطريقة processRequest() تتحقق فقط من nonce دون التحقق من قدرات المستخدم manage_forminator_modules. يمكن للمهاجمين استغلال هذه الثغرة للتلاعب ببيانات النماذج والتكوينات الحساسة.
Forminator Forms plugin for WordPress up to version 1.51.1 has a missing authorization vulnerability that allows users without proper permissions to perform critical actions on forms using only nonce verification. Attackers could exploit this to delete, export, or modify forms without proper authorization checks.
Update Forminator Forms plugin to version 1.51.2 or later immediately. Verify user capabilities using manage_forminator_modules before processing sensitive module actions. Implement proper capability checks in addition to nonce verification. Restrict access to admin pages containing sensitive functionality to authorized users only.
قم بتحديث مكون Forminator Forms إلى الإصدار 1.51.2 أو أحدث فوراً. تحقق من صلاحيات المستخدم باستخدام manage_forminator_modules قبل معالجة إجراءات الوحدة الحساسة. طبق فحوصات القدرات المناسبة بالإضافة إلى التحقق من nonce. قيد الوصول إلى صفحات المسؤول التي تحتوي على وظائف حساسة للمستخدمين المصرح لهم فقط.