The Forminator WordPress plugin used in over 500,000 sites is vulnerable to a flaw that allows malicious actors to perform unrestricted file uploads to the server.
Forminator by WPMU DEV is a custom contact, feedback, quizzes, surveys/polls, and payment forms builder for WordPress sites that offers drag-and-drop functionality, extensive third-party integrations, and general versatility.
On Thursday, Japan’s CERT published an alert on its vulnerability notes portal (JVN) warning about the existence of a critical severity flaw (CVE-2024-28890, CVSS v3: 9.8) in Forminator that may allow a remote attacker to upload malware on sites using the plugin.
“A remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition.” – JVN
JPCERT’s security bulletin lists the following three vulnerabilities:
- CVE-2024-28890 – Insufficient validation of files during file upload, allowing a remote attacker to upload and execute malicious files on the site’s server. Impacts Forminator 1.29.0 and earlier.
- CVE-2024-31077 – SQL injection flaw allowing remote attackers with admin privileges to execute arbitrary SQL queries in the site’s database. Impacts Forminator 1.29.3 and earlier.
- CVE-2024-31857 – Cross-site scripting (XSS) flaw allowing a remote attacker to execute arbitrary HTML and script code into a user’s browser if tricked to follow a specially crafted link. Impacts Forminator 1.15.4 and older.
Site admins using the Forminator plugin are advised to upgrade the plugin to version 1.29.3, which addresses all three flaws, as soon as possible.
WordPress.org stats show that since the release of the security update on April 8, 2024, roughly 180,000 site admins have downloaded the plugin. Assuming all those downloads concerned the latest version, there are still 320,000 sites that remain vulnerable to attacks.
By the time of writing, there have been no public reports of active exploitation for CVE-2024-28890, but due to the severity of the flaw and the easy-to-meet requirements to leverage it, the risk for admins postponing the update is high.
To minimize the attack surface on WordPress sites, use as few plugins as possible, update to the latest version as soon as possible, and deactivate plugins that aren’t actively used/needed.
