Article Details

Critical Forminator plugin flaw impacts over 300k WordPress sites. The Forminator WordPress plugin used in over 500,000 sites is vulnerable to a flaw that allows malicious actors to perform unrestricted file uploads to the server. Forminator by WPMU DEV is a custom contact, feedback, quizzes, surveys/polls, and payment forms builder for WordPress sites that offers drag-and-drop functionality, extensive third-party integrations, and general versatility. On Thursday, Japan's CERT published an alert on its vulnerability notes portal (JVN) warning about the existence of a critical severity flaw (CVE-2024-28890, CVSS v3: 9.8) in Forminator that may allow a remote attacker to upload malware on sites using the plugin. "A remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition." - JVN JPCERT's security bulletin lists the following three vulnerabilities: Site admins using the Forminator plugin are advised to upgrade the plugin to version 1.29.3, which addresses all three flaws, as soon as possible. WordPress.org stats show that since the release of the security update on April 8, 2024, roughly 180,000 site admins have downloaded the plugin. Assuming all those downloads concerned the latest version, there are still 320,000 sites that remain vulnerable to attacks. By the time of writing, there have been no public reports of active exploitation for CVE-2024-28890, but due to the severity of the flaw and the easy-to-meet requirements to leverage it, the risk for admins postponing the update is high. To minimize the attack surface on WordPress sites, use as few plugins as possible, update to the latest version as soon as possible, and deactivate plugins that aren't actively used/needed.