Critical Vulnerabilities in Popular Forminator WordPress Plugin Put Hundreds of Thousands of Websites at Risk

A recent security advisory reveals multiple critical vulnerabilities in the widely used Forminator WordPress plugin, potentially exposing over 500,000 websites to malicious attacks. These vulnerabilities could allow attackers to compromise websites, steal sensitive data, and cause disruptions to web services.

What is Forminator?

Forminator is a popular WordPress plugin developed by WPMU DEV, offering a user-friendly, drag-and-drop interface for building various forms on websites. This plugin is used by businesses, organizations, and individuals for contact forms, surveys, payment collection, and more.

Vulnerabilities Explained

1. CVE-2024-28890: Unrestricted File Upload (CVSS Score 9.8 – Critical)
   • This critical vulnerability allows attackers to upload malicious files of dangerous types to a vulnerable website. This could give attackers full control over the infected site, potentially installing malware, defacing content, or using it for further attacks.
2. CVE-2024-31077: SQL Injection (CVSS Score 7.2 – High)
   • This vulnerability opens the door for attackers to execute malicious SQL queries on the website’s database. This could result in data theft, including user credentials, sensitive customer information, or other confidential site data. Attackers could also modify database content or even delete entire databases.
3. CVE-2024-31857: Cross-Site Scripting (XSS) (CVSS Score 6.1 – Medium)
   • The XSS vulnerability makes it possible for attackers to inject malicious JavaScript code into a website’s forms. This code could then be executed in the victim’s browser, potentially used to steal user session information, redirect users to malicious websites, or inject further malicious content on the website.

The Impact

These vulnerabilities, particularly the critical unrestricted file upload, pose a severe risk to websites using vulnerable versions of Forminator. Attackers can exploit these weaknesses to:

• Deface Websites: Damage brand reputation and erode user trust.
• Spread Malware: Use compromised sites to infect visitors with viruses or other malicious software.
• Launch Phishing Attacks: Trick users into giving up personal or financial information.
• Compromise Search Engine Results: Manipulate search results to redirect traffic to malicious websites.

Urgent Call to Action

Website owners and administrators using the Forminator plugin must update immediately to the latest patched versions:

• CVE-2024-28890: Patched in Forminator version 1.29.0 and later.
• CVE-2024-31077: Patched in Forminator version 1.29.3 and later.
• CVE-2024-31857: Patched in Forminator version 1.15.4 and later