Critical Forminator plugin flaw impacts over 300k WordPress sites

Critical Forminator plugin flaw impacts over 300k WordPress sites

Critical Forminator Plugin Flaw Impacts Over 300k WordPress Sites

Bill Toulas, April 20, 2024, 11:19 AM

The Forminator WordPress plugin, used in over 500,000 sites, is vulnerable to a flaw that allows malicious actors to perform unrestricted file uploads to the server. Forminator, developed by WPMU DEV, is a versatile tool for creating custom contact forms, feedback forms, quizzes, surveys, polls, and payment forms with drag-and-drop functionality and extensive third-party integrations.

On Thursday, Japan’s CERT published an alert on its vulnerability notes portal (JVN) warning about the existence of a critical severity flaw (CVE-2024-28890, CVSS v3: 9.8) in Forminator. This flaw may allow a remote attacker to upload malware on sites using the plugin, potentially enabling them to obtain sensitive information, alter the site, and cause a denial-of-service (DoS) condition.

JPCERT’s security bulletin lists the following three vulnerabilities:

  • CVE-2024-28890 – Insufficient validation of files during file upload, allowing a remote attacker to upload and execute malicious files on the site’s server. Impacts Forminator 1.29.0 and earlier.
  • CVE-2024-31077 – SQL injection flaw allowing remote attackers with admin privileges to execute arbitrary SQL queries in the site’s database. Impacts Forminator 1.29.3 and earlier.
  • CVE-2024-31857 – Cross-site scripting (XSS) flaw allowing a remote attacker to execute arbitrary HTML and script code into a user’s browser if tricked to follow a specially crafted link. Impacts Forminator 1.15.4 and older.

Site admins using the Forminator plugin are advised to upgrade the plugin to version 1.29.3, which addresses all three flaws, as soon as possible. WordPress.org stats show that since the release of the security update on April 8, 2024, roughly 180,000 site admins have downloaded the plugin. Assuming all those downloads concerned the latest version, there are still 320,000 sites that remain vulnerable to attacks.

By the time of writing, there have been no public reports of active exploitation for CVE-2024-28890, but due to the severity of the flaw and the easy-to-meet requirements to leverage it, the risk for admins postponing the update is high. To minimize the attack surface on WordPress sites, it is recommended to use as few plugins as possible, update to the latest version as soon as possible, and deactivate plugins that aren’t actively used or needed.

This content was originally published here.