The Forminator WordPress plugin used in over 500,000 sites is vulnerable to a flaw that allows malicious actors to perform unrestricted file uploads to the server.
Forminator, a custom contact, feedback, quiz, survey/poll, and payment form builder for WordPress websites, is made by WPMU DEV and features a robust third-party integration list, drag-and-drop capability, and overall versatility.
On Thursday, Japan’s CERT published an alert on its vulnerability notes portal (JVN) warning about the existence of a critical severity flaw (CVE-2024-28890, CVSS v3: 9.8) in Forminator that may allow a remote attacker to upload malware on sites using the plugin.
“A remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition.” – JVN
JPCERT’s security bulletin lists the following three vulnerabilities:
- CVE-2024-28890 – Insufficient validation of files during file upload, allowing a remote attacker to upload and execute malicious files on the site’s server. Impacts Forminator 1.29.0 and earlier.
- CVE-2024-31077 – SQL injection flaw allowing remote attackers with admin privileges to execute arbitrary SQL queries in the site’s database. Impacts Forminator 1.29.3 and earlier.
- CVE-2024-31857 – Cross-site scripting (XSS) flaw allowing a remote attacker to execute arbitrary HTML and script code into a user’s browser if tricked to follow a specially crafted link. Impacts Forminator 1.15.4 and older.
It is recommended that site administrators who use the Forminator plugin update it as soon as possible to version 1.29.3, which fixes all three bugs.
Approximately 180,000 site administrators have downloaded the plugin since the security update was released on April 8, 2024, according to statistics provided by WordPress.org.Even if every download was for the most recent version, 320,000 websites are still open to intrusions.
Use as few plugins as possible, update to the most recent version as soon as you can, and deactivate any plugins that are not actively utilized or necessary to reduce the attack surface on WordPress sites.