A flaw in the Forminator plugin impacts hundreds of thousands of WordPress sites

Summary: The WordPress plugin Forminator, developed by WPMU DEV, is affected by multiple vulnerabilities, including a flaw that allows unrestricted file uploads to the server.

Threat Actor: Remote attackers

Victim: WordPress sites using the Forminator plugin

Key Point :

  • A critical vulnerability (CVE-2024-28890) allows remote attackers to upload malicious code on WordPress sites using the Forminator plugin.
  • Other vulnerabilities include a SQL injection flaw (CVE-2024-31077) and a cross-site scripting flaw (CVE-2024-31857).
  • Forminator versions 1.29.3 have addressed all the vulnerabilities, and admins are recommended to update their installations.
  • Over 200,000 sites are vulnerable to cyber attacks due to not updating to the latest version of the plugin.

Japan’s CERT warned that the WordPress plugin Forminator, developed by WPMU DEV, is affected by multiple vulnerabilities, including a flaw that allows unrestricted file uploads to the server.

Forminator is a popular WordPress plugin that allows users to easily create various forms for their website without needing any coding knowledge. The plugin is installed in over 500,000.

One of these vulnerabilities is a critical issue, tracked as CVE-2024-28890 (CVSS v3: 9.8) that a remote attacker can exploit to upload malicious code on WordPress sites using the plugin.

“A remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin and cause a denial-of-service (DoS) condition (CVE-2024-28890)” read the security bulletin published by the JPCERT.

The bulletin also warns of the following these vulnerabilities:

  • CVE-2024-31077 (CVSS score 7.2) – SQL injection flaw – An administrative user may obtain and alter any information in the database and cause a denial-of-service (DoS) condition
  • CVE-2024-31857 (CVSS score 6.1) – Cross-site scripting flaw – A remote attacker may obtain user information etc. and alter the page contents on the user’s web browser

Forminator versions 1.29.3 addressed all the vulnerabilities, admins are recommended to update their installs asap

At the time of this writing, researchers have reports of attacks in the wild exploiting the vulnerability CVE-2024-28890.

According to statistics provided by WordPress.org, the plugin has over 500,000 active installations, but only 55,9% (over 279) are running version 1.29.

This means that more than 200,000 sites are vulnerable to cyber attacks.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, WordPress)



Source: https://securityaffairs.com/162113/security/forminator-wordpress-plugin-flaws.html


“An interesting youtube video that may be related to the article above”