WordPress plugin for web forms contains critical vulnerability

WordPress websites using the Forminator plugin for web forms are extremely vulnerable to uploading and executing malicious files. Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC) is sounding the alarm about this.

JPCERT/CC has issued an alert for the critical vulnerability CVE-2024-28890 that affects websites running on WordPress. This vulnerability in the Forminator plugin allows cybercriminals to upload and execute rogue files on the servers running the attacked websites.

The Forminator plugin allows WordPress users to create all kinds of web forms and integrate them into their websites. The vulnerability now found applies to all versions of the Forminator plugin up to v1.29.0. The most recent version appeared in the month of January this year.

Promotieafbeelding voor 'forminator', een gratis plug-in, met functies zoals aanpasbare formulieren, quizzen en opiniepeilingen met grafisch weergegeven betalingsopties.

High number of vulnerable websites

The number of vulnerable WordPress sites with a Forminator plugin runs into the hundreds of thousands. But 55 percent, figures from WordPress.org show, are using version 1.29.0 or later. Only 200,000 sites with the affected plugin are said to be secure, so the number of vulnerable sites is very high.

WordPress sites are regularly vulnerable via plugins. Sometimes that can lead directly to a million sites at risk of attack, as happened in January with the Better Search Replace plugin. It is up to website administrators to monitor and provide updates to the plugins in use.

Also read: Number of vulnerabilities in WordPress plugins doubled