Japan’s CERT warned that the WordPress plugin Forminator, developed by WPMU DEV, is affected by multiple vulnerabilities, including a flaw that allows unrestricted file uploads to the server.
Forminator is a popular WordPress plugin that allows users to easily create various forms for their website without needing any coding knowledge. The plugin is installed in over 500,000.
One of these vulnerabilities is a critical issue, tracked as CVE-2024-28890 (CVSS v3: 9.8) that a remote attacker can exploit to upload malicious code on WordPress sites using the plugin.
“A remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin and cause a denial-of-service (DoS) condition (CVE-2024-28890)” read the security bulletin published by the JPCERT.
The bulletin also warns of the following these vulnerabilities:
Forminator versions 1.29.3 addressed all the vulnerabilities, admins are recommended to update their installs asap
At the time of this writing, researchers have reports of attacks in the wild exploiting the vulnerability CVE-2024-28890.
According to statistics provided by WordPress.org, the plugin has over 500,000 active installations, but only 55,9% (over 279) are running version 1.29.
This means that more than 200,000 sites are vulnerable to cyber attacks.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, WordPress)