A critical vulnerability has been discovered in the Forminator plugin, a popular form builder for WordPress, affecting over 300,000 sites. This plugin, developed by WPMU DEV, is used by more than half a million websites for its drag-and-drop functionality and compatibility with a wide range of third-party services.
The Japan Computer Emergency Response Team (CERT) issued an alert regarding this flaw, which poses a significant security threat to countless WordPress sites using the Forminator plugin.
The vulnerability discovered in Forminator, identified as CVE-2024-28890, allows unauthorized file uploads, enabling attackers to inject malware into the websites using the compromised plugin. This affects versions 1.29.0 and earlier.
Forminator vulnerability listed on JVN
“A remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition,” stated the alert from JVN.
Furthermore, two other major vulnerabilities were identified:
Website administrators are urged to update their Forminator plugin to the latest version. Despite the release of this security patch on April 8, 2024, an alarming number of sites remain unprotected.
WordPress.org statistics reveal that while 180,000 updates have been downloaded, around 320,000 sites have yet to apply these critical security measures.
While no active exploits of CVE-2024-28890 have been reported at the time of writing, the ease of exploiting this vulnerability makes it a significant threat to any site that has delayed updating its software.
To minimize potential threats, website owners should:
Make sure to take the necessary steps to protect your site from this vulnerability and stay informed about the latest updates!