Serious Vulnerability in Forminator Plugin Affects 300,000+ WordPress Websites

Cyber Attack

A critical flaw has been discovered in the popular Forminator WordPress plugin, which is utilized by more than 500,000 websites. This vulnerability allows malicious actors to execute unrestricted file uploads to affected servers.

Forminator, developed by WPMU DEV, is a versatile plugin used for creating custom contact forms, feedback forms, quizzes, surveys, polls, and payment forms within WordPress sites. Its drag-and-drop functionality, extensive third-party integrations, and overall flexibility make it a preferred choice for many website owners.

The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) recently issued an alert on its vulnerability notes portal (JVN), highlighting a critical severity flaw (CVE-2024-28890, CVSS v3: 9.8) in Forminator. This flaw enables remote attackers to upload and execute malicious files on servers hosting websites using the plugin.

According to the JVN alert, attackers could gain unauthorized access to sensitive information, manipulate the affected website, and potentially cause denial-of-service (DoS) conditions.

JPCERT/CC's security bulletin outlines three specific vulnerabilities associated with Forminator:

  • CVE-2024-28890: This flaw involves insufficient file validation during uploads, enabling remote attackers to upload and execute malicious files on the server. It impacts Forminator versions up to 1.29.0.

  • CVE-2024-31077: An SQL injection vulnerability allows attackers with admin privileges to execute arbitrary SQL queries within the website's database. This vulnerability affects Forminator versions up to 1.29.3.

  • CVE-2024-31857: A cross-site scripting (XSS) vulnerability enables remote attackers to inject arbitrary HTML and script code into a user's browser via specially crafted links. This vulnerability impacts Forminator versions up to 1.15.4.

Website administrators are strongly advised to update the Forminator plugin to version 1.29.3 immediately to address all identified vulnerabilities. Despite around 180,000 site admins having already downloaded the security update since its release on April 8, 2024, approximately 320,000 websites are still vulnerable due to delayed updates.

As of now, there are no public reports of active exploitation for CVE-2024-28890. However, given the severity of this flaw and its potential for exploitation, administrators who delay updates are at significant risk.

To enhance the security of WordPress sites, it is recommended to minimize the use of plugins, promptly update all plugins to their latest versions, and deactivate any plugins that are not actively utilized or necessary. These proactive measures can help reduce the attack surface and safeguard against potential vulnerabilities.