CVE-2026-5192: Forminator WordPress Plugin Path Traversal Exposes Server Files
The National Vulnerability Database has published details on CVE-2026-5192, a critical path traversal vulnerability affecting the Forminator Forms plugin for WordPress, impacting versions up to and including 1.52.1. This flaw, rated 7.5 (HIGH) on the CVSS scale, allows unauthenticated attackers to read arbitrary files on the server.
Exploitation hinges on a specific configuration: a publicly accessible form with a File Upload field, where ‘Save and Continue’ is enabled in its Behavior settings, and the ‘Save and Continue’ email notification is configured to attach uploaded files. If these conditions are met, attackers can craft requests to traverse directories and access sensitive server files, potentially exposing configuration data, credentials, or other critical information.
This isn’t a theoretical risk; it’s a critical misconfiguration chain that leads to direct data exposure. Defenders need to understand the attacker’s calculus here: they’re looking for low-hanging fruit where a common feature (file uploads, save-and-continue) is inadvertently weaponized due to a vulnerable code path. The impact is direct file exfiltration without authentication.
What This Means For You
- If your organization uses the Forminator Forms plugin on WordPress, immediately verify its version. If you are running 1.52.1 or earlier, patch to the latest version. Crucially, audit all forms with file upload fields. Ensure 'Save and Continue' is not enabled with email attachments if not absolutely necessary, and review all email notification settings for any forms handling file uploads. This is a direct path to server file exposure.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-5192: Forminator Plugin Path Traversal - File Read Attempt
title: CVE-2026-5192: Forminator Plugin Path Traversal - File Read Attempt
id: scw-2026-05-05-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-5192 by looking for requests to the Forminator plugin directory that include the 'file_path=' parameter and path traversal sequences ('../'). This indicates an attacker trying to read arbitrary files from the server.
author: SCW Feed Engine (AI-generated)
date: 2026-05-05
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-5192/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/wp-content/plugins/forminator/'
cs-uri-query|contains:
- 'file_path='
cs-uri-query|contains:
- '../'
condition: cs-uri AND cs-uri-query
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-5192 | Path Traversal | Forminator Forms plugin for WordPress versions <= 1.52.1 |
| CVE-2026-5192 | Path Traversal | Vulnerable parameter: 'upload-1[file][file_path]' |
| CVE-2026-5192 | Path Traversal | Requires publicly accessible form with File Upload field, 'Save and Continue' enabled, and 'Save and Continue email notification' configured to attach uploaded files. |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 05, 2026 at 10:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
WebinarIgnition: Critical Blind SQL Injection CVE-2026-40797
CVE-2026-40797 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saleswonder LLC WebinarIgnition allows Blind SQL Injection. This issue...
CVE-2026-3454 — The GenerateBlocks plugin for WordPress is vulnerable to
CVE-2026-3454 — The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due...
CVE-2026-2729 — The Forminator plugin for WordPress is vulnerable to
CVE-2026-2729 — The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the...