Japan‘s Computer Emergency Response Team (CERT) has issued a warning about multiple vulnerabilities in the Forminator WordPress plugin, which is used on over 500,000 websites. One of the most critical vulnerabilities identified is an unrestricted file upload flaw, enabling attackers to upload malicious code directly to the servers of websites using the plugin. This vulnerability, designated as CVE-2024-28890, has a high severity score of 9.8 on the CVSS v3 scale, indicating its potential for significant impact.
The security bulletin released by JPCERT detailed additional vulnerabilities associated with the Forminator plugin. These include a SQL injection flaw (CVE-2024-31077) with a CVSS score of 7.2, which could allow administrative users to obtain and alter database information, potentially causing a denial-of-service condition. Another notable vulnerability is a cross-site scripting (XSS) flaw (CVE-2024-31857), rated at 6.1, which could enable remote attackers to obtain user information and alter page contents in the user’s web browser.
Fortunately, these vulnerabilities have been addressed in Forminator version 1.29.3. Administrators managing WordPress sites with the Forminator plugin installed are strongly urged to update to this latest version immediately to mitigate these security risks. This update is critical as it patches the flaws that could otherwise allow attackers to exploit these sites.
Despite the availability of an update, the situation remains concerning as only about 55.9% of all installations have upgraded to the secured version, leaving more than 200,000 websites potentially exposed to these vulnerabilities. Given the active exploitation of CVE-2024-28890 in the wild, there is an urgent need for administrators to act swiftly to ensure their sites are not among those vulnerable to attack. This underscores the importance of regular updates and vigilance in maintaining website security.