A recently discovered flaw in the Forminator plugin is putting hundreds of thousands of WordPress sites at risk. Japan’s CERT issued a warning about the vulnerability in the popular plugin, developed by WPMU DEV, that allows unrestricted file uploads to the server.

The critical vulnerability, tracked as CVE-2024-28890, has a CVSS v3 score of 9.8 and can be exploited by remote attackers to upload malicious code to WordPress sites using the plugin. Other vulnerabilities include a SQL injection flaw (CVE-2024-31077) and a cross-site scripting flaw (CVE-2024-31857).

The security bulletin from JPCERT advises administrators to update their Forminator installs to version 1.29.3 to address these vulnerabilities. Despite the patch being available, more than 200,000 sites are still vulnerable as they are running older versions of the plugin.

Researchers have reported attacks exploiting the CVE-2024-28890 vulnerability in the wild. Forminator is widely used with over 500,000 active installations, making it a target for cyber attacks. Administrators are strongly encouraged to update their plugin to ensure the security of their websites.

, , , , , , ,
Show Comments

Fabio

Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles