Forminator – Contact Form, Payment Form & Custom Form Builder Vulnerability – HubSpot Developer API Key Sensitive Information Exposure – CVE-2024-7389 | WordPress Plugin Vulnerability Report

Plugin Name: Forminator – Contact Form, Payment Form & Custom Form Builder

Key Information:

  • Software Type: Plugin
  • Software Slug: forminator
  • Software Status: Active
  • Software Author: wpmudev
  • Software Downloads: 7,946,481
  • Active Installs: 500,000
  • Last Updated: August 6, 2024
  • Patched Versions: 1.29.2
  • Affected Versions: <= 1.29.1

Vulnerability Details:

  • Name: Forminator <= 1.29.1
  • Title: HubSpot Developer API Key Sensitive Information Exposure
  • Type: Sensitive Information Exposure
  • CVE: CVE-2024-7389
  • CVSS Score: 7.5
  • Publicly Published: August 1, 2024
  • Researcher: Sean Murphy
  • Description: The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.29.1 via class-forminator-addon-hubspot-wp-api.php. This makes it possible for unauthenticated attackers to extract the HubSpot integration developer API key and make unauthorized changes to the plugin's HubSpot integration or expose personally identifiable information from plugin users using the HubSpot integration.

Summary:

The Forminator plugin for WordPress has a vulnerability in versions up to and including 1.29.1 that allows sensitive information exposure via the HubSpot integration. This vulnerability has been patched in version 1.29.2.

Detailed Overview:

The Forminator plugin, a popular tool for creating contact forms, payment forms, and custom forms on WordPress sites, was found to have a critical vulnerability. Discovered by researcher Sean Murphy, this flaw is due to insufficient protection of the HubSpot integration developer API key within class-forminator-addon-hubspot-wp-api.php. Unauthenticated attackers can exploit this vulnerability to extract the API key, enabling them to make unauthorized changes to the plugin's HubSpot integration or expose personally identifiable information (PII) of users utilizing the HubSpot integration.

This vulnerability, identified as CVE-2024-7389, has a CVSS score of 7.5, indicating a high severity level. It was publicly disclosed on August 1, 2024, affecting all plugin versions up to and including 1.29.1. The developers quickly responded, releasing a patched version, 1.29.2, on August 6, 2024.

Advice for Users:

  • Immediate Action: Users are strongly encouraged to update to version 1.29.2 immediately to mitigate the risk of sensitive information exposure.
  • Check for Signs of Vulnerability: Users should inspect their sites for any signs of unauthorized changes or exposed PII, especially within the HubSpot integration.
  • Alternate Plugins: While a patch is available, users might still consider exploring alternative plugins that offer similar functionality as an extra precaution.
  • Stay Updated: Regularly updating all plugins to their latest versions is crucial to prevent vulnerabilities and protect sensitive data.

Conclusion:

The prompt response from the Forminator development team to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 1.29.2 or later to secure their WordPress installations. For small business owners, staying on top of security vulnerabilities might seem daunting, but it is crucial for protecting your online presence. Regular maintenance, including updates and vulnerability checks, is essential in safeguarding your site against potential threats. If you need assistance or have concerns about your website's security, don't hesitate to seek professional help. Staying informed and proactive is key to maintaining a secure and trustworthy website.

References:

Detailed Report: 

Maintaining the security of your website is crucial, especially in today’s digital landscape where vulnerabilities can have significant impacts on your business. One of the most important practices is to keep your website's plugins and software up to date. Recently, a significant security vulnerability was discovered in the Forminator plugin, which is widely used for creating contact forms, payment forms, and custom forms on WordPress sites. This vulnerability, identified as CVE-2024-7389, exposes your site to the risk of sensitive information exposure, allowing unauthenticated attackers to extract the HubSpot integration developer API key and potentially access or manipulate your data.

Detailed Overview:

The Forminator plugin, a popular tool for creating contact forms, payment forms, and custom forms on WordPress sites, was found to have a critical vulnerability. Discovered by researcher Sean Murphy, this flaw is due to insufficient protection of the HubSpot integration developer API key within class-forminator-addon-hubspot-wp-api.php. Unauthenticated attackers can exploit this vulnerability to extract the API key, enabling them to make unauthorized changes to the plugin's HubSpot integration or expose personally identifiable information (PII) of users utilizing the HubSpot integration.

This vulnerability, identified as CVE-2024-7389, has a CVSS score of 7.5, indicating a high severity level. It was publicly disclosed on August 1, 2024, affecting all plugin versions up to and including 1.29.1. The developers quickly responded, releasing a patched version, 1.29.2, on August 6, 2024.

Risks and Potential Impacts:

The vulnerability affects all versions of the Forminator plugin up to and including 1.29.1. An unauthenticated attacker can exploit this flaw to extract the HubSpot developer API key, which can then be used to make unauthorized changes to the plugin's HubSpot integration or expose personally identifiable information (PII) of users. This serious issue, discovered by researcher Sean Murphy and publicly disclosed on August 1, 2024, highlights the necessity for immediate action to protect your site.

Remediation:

The developers at wpmudev have promptly addressed the issue by releasing a patched version, 1.29.2, on August 6, 2024. To protect your site, it is essential to update to the latest version of Forminator immediately to mitigate the risk. Additionally, inspect your site for any signs of unauthorized changes or exposed PII, especially within the HubSpot integration. While a patch is available, exploring alternative plugins that offer similar functionality can be a prudent precaution. Regularly updating all plugins to their latest versions is critical in preventing vulnerabilities and protecting your data.

Overview of Previous Vulnerabilities:

Since February 6, 2019, there have been 19 previous vulnerabilities reported in the Forminator plugin. This history underscores the importance of regular updates and proactive security measures to protect your website from emerging threats.

Conclusion:

The swift response from the Forminator development team to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 1.29.2 or later to secure their WordPress installations. For small business owners, staying on top of security vulnerabilities might seem daunting, but it is essential for protecting your online presence. Regular maintenance, including updates and vulnerability checks, is crucial in safeguarding your site against potential threats. If you need assistance or have concerns about your website's security, don’t hesitate to seek professional help. Staying informed and proactive is key to maintaining a secure and trustworthy website.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Forminator – Contact Form, Payment Form & Custom Form Builder Vulnerability – HubSpot Developer API Key Sensitive Information Exposure – CVE-2024-7389 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment