Forminator Plugin Flaw: Unrestricted Uploads Put 200,000+ WordPress Sites at Risk
Japan’s CERT Warns of Critical Vulnerabilities in Forminator WordPress Plugin
Japan’s Computer Emergency Response Team (CERT) has issued a urgent warning regarding multiple vulnerabilities in the popular Forminator WordPress plugin, developed by WPMU DEV. Among these vulnerabilities is a critical flaw, identified as CVE-2024-28890 (CVSS v3: 9.8), which allows remote attackers to conduct unrestricted file uploads to WordPress sites using the plugin.
Forminator is widely used by WordPress website owners to create custom forms without requiring coding knowledge, boasting over 500,000 installations.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
The security bulletin published by JPCERT outlines additional vulnerabilities associated with Forminator:
- CVE-2024-31077 (CVSS score 7.2): SQL injection flaw that allows administrative users to access and modify database information, leading to potential denial-of-service (DoS) attacks.
- CVE-2024-31857 (CVSS score 6.1): Cross-site scripting (XSS) flaw enabling remote attackers to extract user information and manipulate page contents in users’ web browsers.
It is imperative for administrators to update Forminator to version 1.29.3 or later immediately to mitigate these security risks. As of now, there are reports of active attacks exploiting CVE-2024-28890 in the wild.
Trending: Offensive Security Tool: 403jump
Statistics from WordPress.org indicate that while Forminator has over 500,000 active installations, only around 55.9% of these installations (over 279,000) are running version 1.29 or above. This leaves more than 200,000 sites vulnerable to cyber attacks.
Website owners and administrators are strongly advised to prioritize updating Forminator to the latest patched version to protect their sites from potential exploitation of these critical vulnerabilities.