Critical Forminator plugin flaw impacts over 300k WordPress sites

Critical Forminator plugin flaw impacts over 300k WordPress sites

April 20, 2024 at 05:07PM

The popular Forminator WordPress plugin, utilized on over 500,000 sites, is susceptible to a critical vulnerability allowing malicious file uploads to servers. This flaw, detailed by Japan’s CERT, includes potential for sensitive data access, site alteration, and a denial-of-service condition. Site admins are cautioned to promptly update to version 1.29.3 to address three known vulnerabilities.

From the meeting notes, the following key points can be distilled:

– The Forminator WordPress plugin has a critical vulnerability (CVE-2024-28890) that allows remote attackers to perform unrestricted file uploads to the server, potentially leading to data breaches and denial-of-service (DoS) conditions.
– Two other vulnerabilities (CVE-2024-31077 and CVE-2024-31857) also affect earlier versions of Forminator, including a SQL injection flaw and a cross-site scripting (XSS) flaw.
– Site admins are strongly advised to upgrade to version 1.29.3 of the Forminator plugin, which addresses all three vulnerabilities.
– While approximately 180,000 site admins have already downloaded the security update, there are still around 320,000 sites that remain vulnerable to attacks.
– Although there have been no public reports of active exploitation for CVE-2024-28890 at the time of writing, the severity of the flaw warrants immediate action to minimize the risk for admins.

In conclusion, it is critical for site admins using the Forminator plugin to promptly update to version 1.29.3 to mitigate the risk of potential security breaches and attacks. Additionally, best practices for securing WordPress sites include using as few plugins as possible, promptly updating to the latest versions, and deactivating plugins that are not actively used or needed.

Full Article