Urgent Security Update Needed: Critical Vulnerability in Forminator Affects Over 300,000 WordPress Sites

The Forminator plugin, a popular tool used on more than 500,000 WordPress websites for creating custom forms, has been compromised due to a severe security flaw. This vulnerability allows malicious actors to execute unrestricted file uploads, posing a significant threat to affected websites.

Details of the Vulnerability

Japan's Computer Emergency Response Team (CERT) issued an alert highlighting a critical flaw in the Forminator plugin, identified as CVE-2024-28890, with a CVSS v3 score of 9.8, indicating its severity. This vulnerability allows remote attackers to upload and execute malicious files on the servers hosting vulnerable sites, potentially leading to unauthorized data access, site alteration, or a Denial-of-Service (DoS) attack.

Additional Vulnerabilities Reported

Alongside the critical file upload issue, two additional vulnerabilities have been identified:

• CVE-2024-31077: An SQL injection vulnerability that enables attackers with admin privileges to execute arbitrary SQL commands within the website’s database.
• CVE-2024-31857: A cross-site scripting (XSS) flaw that allows attackers to inject arbitrary HTML and script code into the browsers of users who click on specially crafted links.

Immediate Actions for Site Administrators

Site administrators are strongly advised to update the Forminator plugin to version 1.29.3 immediately, as this version addresses these vulnerabilities. Despite the release of the update, WordPress.org statistics as of April 8, 2024, indicate that approximately 320,000 sites have yet to install this critical update, leaving them vulnerable to potential exploits.

No Active Exploits Yet, But High Risk

While there are currently no public reports of these vulnerabilities being exploited, the nature of the flaws and the simplicity of exploiting them pose a significant risk to any unpatched systems. The high severity of the flaw underlines the urgent need for updates.

Best Practices for WordPress Site Security

To safeguard WordPress installations:

• Limit the number of plugins installed to reduce potential attack vectors.
• Regularly update all plugins and the core WordPress software to their latest versions.
• Deactivate and remove any unnecessary or unused plugins.

Stay Protected with Peris.ai Cybersecurity

For ongoing updates on this situation and more detailed guidance on maintaining robust cybersecurity hygiene, visit Peris.ai Cybersecurity. Our goal is to provide the tools and knowledge you need to defend against sophisticated cyber threats effectively. Secure your digital presence with proactive measures and stay updated with the latest in cyber defense through Peris.ai Cybersecurity - your trusted partner in cybersecurity.

Act now to update your Forminator plugin and protect your site from potential cyber threats.