Forminator WordPress plugin has a critical flaw exposing over 300k sites
Take action: If you are using the Forminator plugin for Wordpress, patch ASAP. The patch is fairly easy, so don't delay.
Learn More
The Forminator plugin for WordPress, which is actively used on over 500,000 sites, has been identified as vulnerable due to a critical flaw that allows unrestricted file uploads by malicious actors.
This vulnerability is tracked as CVE-2024-28890 (CVSS score 9.8). The vulnerability arises from insufficient validation during the file upload process in Forminator versions 1.29.0 and earlier. It can allow attackers to execute malicious files on the server, leading to unauthorized access to sensitive data, alterations to the site, or even a denial-of-service condition.
Alongside CVE-2024-28890, two other related vulnerabilities were reported:
- CVE-2024-31077 (CVSS score 7.2): An SQL injection vulnerability that affects Forminator up to version 1.29.3, which could allow attackers with admin privileges to execute arbitrary SQL queries.
- CVE-2024-31857 (CVSS score 6.1): A cross-site scripting (XSS) flaw impacting versions 1.15.4 and older, which could let attackers execute arbitrary HTML and script code via a crafted link.
The Forminator team has addressed these issues in the latest plugin version, 1.29.3.
All site administrators using Forminator are strongly advised to update their plugins to this new version to mitigate these risks.
WordPress.org data indicates that about 180,000 downloads of the plugin have occurred since the release of the security update, suggesting about 300,000 sites remain at risk.
