A critical vulnerability has been uncovered in the popular WordPress plugin Forminator, putting an estimated 300,000+ websites at risk of exploitation. The flaw, tracked as CVE-2024-28890, allows unauthenticated attackers to upload arbitrary files, potentially leading to full site takeovers.
Forminator, developed by WPMU DEV, is a commonly used plugin that allows WordPress users to easily create custom forms, quizzes, polls, and more. Its popularity translates to a large potential attack surface for malicious actors.
Japan’s CERT published an alert on its vulnerability notes portal (JVN) warning about the existence of a critical severity flaw (CVE-2024-28890, CVSS v3: 9.8) in Forminator that may allow a remote attacker to upload malware on sites using the plugin.
A remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition.” – JVN
JPCERT’s security bulletin lists the following three vulnerabilities:
- CVE-2024-28890 – Insufficient validation of files during file upload, allowing a remote attacker to upload and execute malicious files on the site’s server. Impacts Forminator 1.29.0 and earlier.
- CVE-2024-31077 – SQL injection flaw allowing remote attackers with admin privileges to execute arbitrary SQL queries in the site’s database. Impacts Forminator 1.29.3 and earlier.
- CVE-2024-31857 – Cross-site scripting (XSS) flaw allowing a remote attacker to execute arbitrary HTML and script code into a user’s browser if tricked to follow a specially crafted link. Impacts Forminator 1.15.4 and older.
Site admins using the Forminator plugin are advised to upgrade the plugin to version 1.29.3, which addresses all three flaws, as soon as possible.
