A flaw in the Forminator plugin impacts hundreds of thousands of WordPress sites

A flaw in the Forminator plugin impacts hundreds of thousands of WordPress sites

Pierluigi Paganini
April 22, 2024

Japan’s CERT warns of a vulnerability in the Forminator WordPress plugin that allows unrestricted file uploads to the server.

Japan’s CERT warned that the WordPress plugin Forminator, developed by WPMU DEV, is affected by multiple vulnerabilities, including a flaw that allows unrestricted file uploads to the server.

Forminator is a popular WordPress plugin that allows users to easily create various forms for their website without needing any coding knowledge. The plugin is installed in over 500,000.

One of these vulnerabilities is a critical issue, tracked as CVE-2024-28890 (CVSS v3: 9.8) that a remote attacker can exploit to upload malicious code on WordPress sites using the plugin.

“A remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin and cause a denial-of-service (DoS) condition (CVE-2024-28890)” read the security bulletin published by the JPCERT.

The bulletin also warns of the following these vulnerabilities:

  • CVE-2024-31077 (CVSS score 7.2) – SQL injection flaw – An administrative user may obtain and alter any information in the database and cause a denial-of-service (DoS) condition
  • CVE-2024-31857 (CVSS score 6.1) – Cross-site scripting flaw – A remote attacker may obtain user information etc. and alter the page contents on the user’s web browser

Forminator versions 1.29.3 addressed all the vulnerabilities, admins are recommended to update their installs asap

At the time of this writing, researchers have reports of attacks in the wild exploiting the vulnerability CVE-2024-28890.

According to statistics provided by WordPress.org, the plugin has over 500,000 active installations, but only 55,9% (over 279) are running version 1.29.

This means that more than 200,000 sites are vulnerable to cyber attacks.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, WordPress)