Multiple Vulnerabilities Found In Forminator WordPress Plugin

WordPress admins using the Forminator plugin on their websites must rush to update their sites with the latest plugin release. That’s because numerous vulnerabilities existed in the Forminator plugin that could allow triggering site crashes and malicious file uploads on target websites.

One Out Of The Three Forminator Vulnerabilities Posed Severe Threat

According to a recent JPCERT/CC alert, at least three different vulnerabilities riddled the WordPress plugin Forminator. Exploiting these vulnerabilities could allow malicious file uploads, access to stored information, and site crashes.

Forminator is a dedicated form builder plugin for WordPress sites. It facilitates users’ creation of various forms for different web pages, including contact forms, payment forms, order forms, feedback widgets, and more. The plugin’s official page currently boasts over 500,000 active installations, indicating the sheer number of websites that could be at risk due to any vulnerabilities in the plugin.

Specifically, the following three vulnerabilities existed in the plugin.

  • CVE-2024-28890 (CVSS 9.8): A critical severity vulnerability that could allow unrestricted file uploads. An adversary could exploit the flaw to upload maliciously crafted files on the target server, access sensitive data, and even alter the plugin to trigger denial of service (DoS).
  • CVE-2024-31077 (CVSS 7.2): Another vulnerability that could allow DoS attacks. This SQL injection vulnerability could let an adversary access or modify the information in the target database.
  • CVE-2024-31857 (CVSS 6.1): A cross-site scripting (XSS) vulnerability that an attacker could exploit to modify the target web page’s content and access user information.

The advisory acknowledged the security researcher Hibiki Moriyama of STNet Inc. for reporting these vulnerabilities.

While CERT/CC didn’t mention anything about the active exploitation attempts for any of these vulnerabilities, the threat still persists. And, considering the serious threat these vulnerabilities pose, it’s crucial for all Forminator users to patch their sites with the latest plugin release (v.1.29.3) at the earliest.

Let us know your thoughts in the comments.