The Information Highway

The Information Highway

Font size: +
2 minutes reading time (360 words)

Critical Forminator plugin flaw impacts over 300k WordPress sites

The Forminator WordPress plugin used in over 500,000 sites is vulnerable to a flaw that allows malicious actors to perform unrestricted file uploads to the server.


Forminator by WPMU DEV is a custom contact, feedback, quizzes, surveys/polls, and payment forms builder for WordPress sites that offers drag-and-drop functionality, extensive third-party integrations, and general versatility.

On Thursday, Japan's CERT published an alert on its vulnerability notes portal (JVN) warning about the existence of a critical severity flaw (CVE-2024-28890, CVSS v3: 9.8) in Forminator that may allow a remote attacker to upload malware on sites using the plugin. 

"A remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition." - JVN

JPCERT's security bulletin lists the following three vulnerabilities:

  • CVE-2024-28890 – Insufficient validation of files during file upload, allowing a remote attacker to upload and execute malicious files on the site's server. Impacts Forminator 1.29.0 and earlier.
  • CVE-2024-31077 – SQL injection flaw allowing remote attackers with admin privileges to execute arbitrary SQL queries in the site's database. Impacts Forminator 1.29.3 and earlier.
  • CVE-2024-31857 – Cross-site scripting (XSS) flaw allowing a remote attacker to execute arbitrary HTML and script code into a user's browser if tricked to follow a specially crafted link. Impacts Forminator 1.15.4 and older.

Site admins using the Forminator plugin are advised to upgrade the plugin to version 1.29.3, which addresses all three flaws, as soon as possible.

WordPress.org stats show that since the release of the security update on April 8, 2024, roughly 180,000 site admins have downloaded the plugin. Assuming all those downloads concerned the latest version, there are still 320,000 sites that remain vulnerable to attacks.

By the time of writing, there have been no public reports of active exploitation for CVE-2024-28890, but due to the severity of the flaw and the easy-to-meet requirements to leverage it, the risk for admins postponing the update is high.

To minimize the attack surface on WordPress sites, use as few plugins as possible, update to the latest version as soon as possible, and deactivate plugins that aren't actively used/needed.

Malware dev lures child exploiters into honeytrap ...
GitHub comments abused to push malware via Microso...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Saturday, 23 November 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023