Forminator Forms < 1.49.2 – Forminator User+ CSV Export | CVE 2025-14782 | Plugin Vulnerabilities

Description

The plugin is vulnerable to authorization bypass via the 'listen_for_csv_export' function. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with access to the Forminator dashboard, to export sensitive form submission data including personally identifiable information.

Affects Plugins

Fixed in 1.49.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2b28ddeb-44f5-4d19-b866-94fc2088ee6d

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

type5afe

Verified

No

WPVDB ID

a5a45996-bebd-4157-aa5b-7aff8052a245

Timeline

Publicly Published

2026-01-08 (about 4 months ago)

Added

2026-01-08 (about 4 months ago)

Last Updated

2026-01-08 (about 4 months ago)

Other

Published

Title

Published

2025-09-22

Title

Ibtana < 1.2.5.4 - Missing Authorization to Authenticated (Contributor+) Arbitrary Content Deletion

Published

2025-04-02

Title

Minimalistic Event Manager <= 1.1.1 - Missing Authorization

Published

2025-02-21

Title

Residential Address Detection < 2.5.5 - Unauthenticated Arbitrary Options Update

Published

2025-10-24

Title

Product Filter by WBW < 3.0.1 - Missing Authorization to Unauthenticated Settings Update

Published

2024-07-09

Title

Featured Image Generator < 1.3.3 - Missing Authorization to Authenticated (Subscriber+) Images Upload