Security Alert Summary
A missing authorization (broken access control) vulnerability has been identified in the WPMU DEV – Your All-in-One WordPress Platform Forminator forminator plugin. The issue allows actions to be performed due to incorrectly configured access control security levels and affects versions through 1.50.2. Site owners should review their use of the plugin and user roles to determine exposure.
CVE Details
- CVE ID:
CVE-2026-32409 - Affected plugin / component: WPMU DEV – Your All-in-One WordPress Platform Forminator forminator (as stated in the CVE description)
- Affected versions: from n/a through <= 1.50.2 (as stated in the CVE description)
- Published: March 13, 2026 at 7:54:57 PM UTC
- Last modified: March 13, 2026 at 7:54:57 PM UTC
- CVSS v3.1: Base Score 5.3 — MEDIUM; Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N - Authentication / Privileges / User Interaction: No authentication required; Privileges Required: None; User Interaction: None
- Primary impact: Confidentiality: None; Integrity: Low; Availability: None
- CWE / weakness: CWE-862 (Missing Authorization)
- Fixed version: Not specified in the CVE entry
Technical Details
The CVE description identifies this issue as a Missing Authorization (broken access control) vulnerability caused by incorrectly configured access control security levels in the Forminator plugin. In practice, this means the plugin does not correctly enforce authorization checks for certain operations, allowing lower-privileged or unauthenticated actors to perform actions they should not be allowed to perform.
The CVE does not name specific functions, REST API endpoints, or code paths. Based on the provided data, the observed impact is a low integrity impact: unauthorized modification of plugin-managed data or settings is possible, but there is no indicated confidentiality or availability impact. No exploit details or proof-of-concept are provided in the CVE entry.
How This Could Impact Your Website
On a multi-user WordPress site, a missing authorization issue in a form or form-management plugin can allow an attacker or an improperly scoped user to alter form settings or content without the intended permissions. For example, an external contributor or contractor with limited access might be able to change form configurations or submissions handling, which could lead to incorrect data collection or integrity issues in form-driven workflows.
From an operational perspective this can create confusion for internal staff who rely on form data, require additional effort to verify submitted information, and erode trust in data integrity. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
- Review and reduce unnecessary user roles and capabilities, especially for contributors and other non-administrator accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and plugin logs for unusual behavior, including unexpected changes to form settings or submissions.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
