critical risk banner

300K+ WordPress Sites at Risk Due to Critical Forminator Plugin Flaw

2 Mins Read

PUREVPNNews300K+ WordPress Sites at Risk Due to Critical Forminator Plugin Flaw

A critical vulnerability has been discovered in the Forminator plugin, a popular form builder for WordPress, affecting over 300,000 sites. This plugin, developed by WPMU DEV, is used by more than half a million websites for its drag-and-drop functionality and compatibility with a wide range of third-party services. 

Serious Flaw Discovered in Forminator

The Japan Computer Emergency Response Team (CERT) issued an alert regarding this flaw, which poses a significant security threat to countless WordPress sites using the Forminator plugin. 

The vulnerability discovered in Forminator, identified as CVE-2024-28890, allows unauthorized file uploads, enabling attackers to inject malware into the websites using the compromised plugin. This affects versions 1.29.0 and earlier.

Forminator vulnerability listed on JVN

“A remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition,” stated the alert from JVN.

Furthermore, two other major vulnerabilities were identified:

  • CVE-2024-31077: An SQL injection vulnerability that permits attackers with admin privileges to run arbitrary SQL commands within a website’s database. This affects versions 1.29.3 and earlier.
  • CVE-2024-31857: A cross-site scripting (XSS) issue that could let attackers execute harmful HTML and scripts on a user’s browser. This flaw is present in versions 1.15.4 and older.

Website administrators are urged to update their Forminator plugin to the latest version. Despite the release of this security patch on April 8, 2024, an alarming number of sites remain unprotected. 

WordPress.org statistics reveal that while 180,000 updates have been downloaded, around 320,000 sites have yet to apply these critical security measures. 

While no active exploits of CVE-2024-28890 have been reported at the time of writing, the ease of exploiting this vulnerability makes it a significant threat to any site that has delayed updating its software.

Best Practices for Maintaining Website Security

To minimize potential threats, website owners should:

  • Streamline the use of plugins, keeping only those that are essential.
  • Ensure plugins are always updated to their latest versions. 
  • Deactivate unnecessary plugins to reduce the risk of vulnerabilities being exploited.

Make sure to take the necessary steps to protect your site from this vulnerability and stay informed about the latest updates!

author

Anas Hasan

date

April 24, 2024

time

2 weeks ago

Anas Hassan is a tech geek and cybersecurity enthusiast. He has a vast experience in the field of digital transformation industry. When Anas isn’t blogging, he watches the football games.

Related Stories

DropBox Sign Breached by Hackers, Customer Data and Other Info Stolen 

DropBox Sign Breached by Hackers, Customer Data and Other Info Stolen 
Posted on May 3, 2024
‘Dirty Stream’ Attack Affects Android Apps, Microsoft Warns

‘Dirty Stream’ Attack Affects Android Apps, Microsoft Warns
Posted on May 3, 2024
Cuttlefish Malware Targets Routers to Steal Authentication Data

Cuttlefish Malware Targets Routers to Steal Authentication Data
Posted on May 2, 2024

Have Your Say!!

Join 3 million+ users to embrace internet freedom

Signup for PureVPN to get complete online security and privacy with a hidden IP address and encrypted internet traffic.

Get PureVPN