The Forminator plugin for WordPress, utilized by over 500,000 sites, has a vulnerability that could let attackers upload files to the server without restrictions.
Developed by WPMU DEV, Forminator is a customizable tool for creating contact forms, surveys, quizzes, feedback forms, polls, and payment forms on WordPress. It features drag-and-drop functionality and integrates with many third-party services.
On Thursday, Japan’s Computer Emergency Response Team (CERT) issued a warning through its vulnerability notes portal (JVN) about a critical security issue in Forminator, known as CVE-2024-28890 (CVSS v3: 9.8). This flaw could let remote attackers upload malware to WordPress sites using the plugin.
According to the JVN, a remote attacker could gain sensitive information by accessing server files, moderating a site using the plugin, or causing a denial-of-service (DoS) incident.
JPCERT’s security bulletin lists three specific vulnerabilities in Forminator:
- CVE-2024-28890 – Insufficient file validation during uploads allows remote attackers to upload and run malicious files on the server. This affects Forminator 1.29.0 and earlier.
- CVE-2024-31077 – An SQL injection flaw enabling remote attackers with admin privileges to execute arbitrary SQL queries in the site’s database. This impacts Forminator 1.29.3 and earlier.
- CVE-2024-31857 – A cross-site scripting (XSS) flaw allowing attackers to inject HTML and script code into a user’s browser by tricking them into clicking on a crafted link. This affects Forminator 1.15.4 and older.
Site administrators using the Forminator plugin are advised to update to version 1.29.3 or later to mitigate all three vulnerabilities.
According to WordPress.org, since the security update was released on April 8, 2024, about 180,000 site admins have downloaded the plugin, implying that about 320,000 sites could still be vulnerable.
At the time of writing, there have been no public reports of active exploitation of CVE-2024-28890. However, the flaw’s high severity and low difficulty pose a significant risk for those who delay updating the plugin.
To reduce the risk of attacks on WordPress sites, administrators should minimize the use of plugins, ensure they’re always updated, and deactivate those not actively in use.