CVE-2026-32409

Vulnerability

Overview

The Forminator plugin for WordPress, versions up to and including 1.50.2, contains a missing authorization vulnerability. This issue stems from incorrectly configured access control security level allows unprivileged users to perform actions that should require higher privileges. The issue stems from a lack of proper authorization checks in certain plugin functions [1].

Exploitation

An attacker can exploit this vulnerability without needing authentication or with minimal privileges, depending on the specific function affected. The broken access control means that nonce token checks or capability verifications are absent, enabling an unprivileged user to execute higher-privileged actions. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation could allow an attacker to access or modify data, or perform actions that should be restricted to administrators or other privileged roles. The CVSS score of 5.3 (Medium) reflects the potential for unauthorized access, though the vendor notes that the severity is low and exploitation is unlikely [1].

Mitigation

The vulnerability is patched in version 1.50.3. Users are strongly advised to update immediately. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].