{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/forminator-forms--contact-form-payment-form--custom-form-builder-plugin/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-5192"}],"_cs_exploited":false,"_cs_products":["Forminator Forms – Contact Form, Payment Form \u0026 Custom Form Builder plugin"],"_cs_severities":["high"],"_cs_tags":["path-traversal","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Forminator Forms plugin for WordPress, a widely used plugin for creating contact forms and payment forms, contains a path traversal vulnerability (CVE-2026-5192) affecting versions up to and including 1.52.1. This flaw enables unauthenticated attackers to potentially read sensitive files from the underlying server. Successful exploitation hinges on a confluence of factors: the existence of a publicly accessible form incorporating a File Upload field, the activation of \u0026ldquo;Save and Continue\u0026rdquo; functionality within the form\u0026rsquo;s behavior settings, and the configuration of email notifications to include uploaded files as attachments. This vulnerability poses a significant risk, as exposed files could contain configuration details, database credentials, or other sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version of the Forminator plugin (\u0026lt;= 1.52.1).\u003c/li\u003e\n\u003cli\u003eThe attacker discovers or locates a publicly accessible form with a File Upload field.\u003c/li\u003e\n\u003cli\u003eThe form has \u0026ldquo;Save and Continue\u0026rdquo; enabled within its Behavior settings.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;Save and Continue\u0026rdquo; email notification is configured to attach uploaded files in Email Notifications.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the \u0026lsquo;upload-1[file][file_path]\u0026rsquo; parameter with a path traversal payload (e.g., \u0026lsquo;../../../../wp-config.php\u0026rsquo;).\u003c/li\u003e\n\u003cli\u003eThe server processes the request and attempts to access the file specified in the manipulated path.\u003c/li\u003e\n\u003cli\u003eDue to insufficient input validation, the server reads the arbitrary file.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the file content from the server\u0026rsquo;s response or via the attached file in the email notification. This allows the attacker to access sensitive data such as wp-config.php.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability could allow attackers to read arbitrary files on the WordPress server. This could expose sensitive information, such as database credentials stored in \u003ccode\u003ewp-config.php\u003c/code\u003e, potentially leading to full compromise of the WordPress site and the underlying server. The number of affected sites is potentially very high given the popularity of the Forminator plugin. This can lead to data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Forminator Forms plugin to the latest version to patch CVE-2026-5192.\u003c/li\u003e\n\u003cli\u003eInspect publicly accessible forms for File Upload fields and disable \u0026ldquo;Save and Continue\u0026rdquo; functionality or email attachment of uploaded files as a temporary mitigation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Forminator Path Traversal Attempt\u003c/code\u003e to your SIEM to identify exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) in the \u003ccode\u003eupload-1[file][file_path]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization on file paths to prevent path traversal vulnerabilities in other web applications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T07:16:00Z","date_published":"2026-05-05T07:16:00Z","id":"/briefs/2026-05-forminator-path-traversal/","summary":"The Forminator Forms WordPress plugin is vulnerable to an unauthenticated path traversal that allows reading arbitrary files on the server when specific features are enabled.","title":"Forminator Forms Plugin Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-forminator-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Forminator Forms – Contact Form, Payment Form \u0026 Custom Form Builder Plugin","version":"https://jsonfeed.org/version/1.1"}