In a recent cybersecurity revelation, over 50,000 websites using the popular WordPress plugin Forminator are at risk due to multiple critical vulnerabilities.
If exploited, these flaws could allow attackers to perform a range of malicious activities, from stealing sensitive data to taking complete control of the affected websites.
Forminator is a widely used WordPress plugin designed to create and manage various forms on websites, including contact forms, surveys, and quizzes.
Its user-friendly drag-and-drop interface and integration capabilities with email marketing services and CRMs make it a favorite among website administrators. However, its popularity also makes it a significant target for cybercriminals.
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
Technical Details of the Vulnerabilities
The vulnerabilities identified in the Forminator plugin are severe and affect multiple versions of the plugin:
Unrestricted File Upload (CVE-2024-28890): This vulnerability allows attackers to upload files of any type, including malicious scripts, to the server without proper validation.
This can lead to unauthorized code execution and control over the website.
The CVSS score for this vulnerability is 9.8, indicating its critical severity.
SQL Injection (CVE-2024-31077): This flaw enables attackers with administrative privileges to execute arbitrary SQL queries in the website’s database.
This can result in unauthorized access to or manipulation of sensitive data stored in the database. The vulnerability has a CVSS score of 7.2.
Cross-Site Scripting (XSS) (CVE-2024-31857): Through this vulnerability, attackers can inject malicious HTML or script code into pages viewed by users.
This can lead to the theft of cookies, session tokens, or other sensitive information handled by the user’s browser.
The XSS flaw has a CVSS score of 6.1.
The exploitation of these vulnerabilities can have devastating effects on the security and functionality of websites. Attackers could potentially:
- Steal sensitive user information, such as personal data and login credentials.
- Alter or delete content on the website, leading to loss of integrity and availability.
- Use the compromised websites to distribute malware or launch further attacks.
Mitigation Measures
Website administrators using the Forminator plugin are urged to take immediate action to mitigate these risks:
Update the Plugin: Ensure that Forminator is updated to the latest version as soon as possible.
The developers at WPMU DEV have released patches for these vulnerabilities in the latest updates.
Regularly Monitor and Audit: Regularly check and audit the website for unusual activities or unauthorized changes. Use security plugins and tools to enhance the monitoring process.
Educate Users: Inform and educate users about the risks of phishing and other methods that could be used to exploit these vulnerabilities.
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP