Forminator Vulnerability – Contact Form, Payment Form & Custom Form Builder – Authenticated (Contributor+) Stored Cross-Site Scripting via forminator_form Shortcode – CVE-2024-3053 | WordPress Plugin Vulnerability Report
Plugin Name: Forminator – Contact Form, Payment Form & Custom Form Builder
Key Information:
- Software Type: Plugin
- Software Slug: forminator
- Software Status: Active
- Software Author: wpmudev
- Software Downloads: 6,757,114
- Active Installs: 500,000
- Last Updated: April 16, 2024
- Patched Versions: 1.29.3
- Affected Versions: <= 1.29.2
Vulnerability Details:
- Name: Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.29.2
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via forminator_form Shortcode
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-3053
- CVSS Score: 6.4
- Publicly Published: April 8, 2024
- Researcher: Wesley
- Description: The Forminator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ attribute in the forminator_form shortcode, affecting versions up to and including 1.29.2. This vulnerability is due to insufficient input sanitization and output escaping, allowing authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts that execute when a user accesses an injected page.
Summary:
The Forminator plugin for WordPress has a vulnerability in versions up to and including 1.29.2 that allows authenticated contributors to execute stored cross-site scripting attacks via the ‘id’ attribute in the forminator_form shortcode. This vulnerability has been patched in version 1.29.3.
Detailed Overview:
The vulnerability identified in the Forminator plugin by researcher Wesley pertains specifically to the misuse of the ‘id’ attribute in the forminator_form shortcode. Attackers with at least contributor privileges can exploit this flaw to inject malicious JavaScript, which remains stored on the website. This script can then be triggered whenever any user accesses a page containing the compromised shortcode. Such vulnerabilities pose significant security risks, including unauthorized data access, manipulation of website content, and compromised user sessions.
Advice for Users:
- Immediate Action: Users are urged to update to the patched version 1.29.3 without delay.
- Check for Signs of Vulnerability: Look for unexpected scripts or behavior in the areas of your website that utilize the Forminator plugin, especially in forms.
- Alternate Plugins: Consider evaluating other well-supported and regularly updated form builder plugins if you frequently encounter security issues with your current plugin.
- Stay Updated: Always keep your plugins up-to-date to mitigate the risks associated with software vulnerabilities.
Conclusion:
The rapid development and release of a patch for this vulnerability by the developers of Forminator highlight the critical nature of maintaining up-to-date software on your WordPress site. It is crucial for users to install updates as soon as they are available to protect their sites from potential threats.
References:
Detailed Report:
In today's digital landscape, maintaining the integrity of your website is as crucial as ever, not only to protect your data but also to preserve the trust of your users. The recent discovery of a significant security flaw in the Forminator plugin—a popular tool for WordPress users—serves as a stark reminder of this reality. The vulnerability, known as an Authenticated Stored Cross-Site Scripting (XSS) issue, affects all versions of the plugin up to 1.29.2 and allows attackers with basic contributor access to inject harmful scripts that can be executed unknowingly by any site visitor. This breach not only underscores the ongoing risks associated with outdated software but also the importance of prompt updates and vigilant security practices to safeguard against potential threats. For those concerned about their site’s security, this post aims to provide essential information on how to address this vulnerability, monitor for signs of compromise, and maintain a secure online presence in an increasingly vulnerable digital environment.
Risks and Potential Impacts:
The vulnerability exposes sites to potential unauthorized data access, manipulation of website content, and compromised user sessions. This could lead to a loss of consumer trust and potentially severe reputational and financial damage if sensitive information were to be accessed or manipulated by an unauthorized party.
Overview of Previous Vulnerabilities:
Forminator has experienced 15 documented vulnerabilities since February 6, 2019. This history highlights the critical importance of ongoing vigilance and regular updates as part of a proactive security strategy.
Conclusion:
The prompt patching of vulnerabilities like the one found in Forminator demonstrates the ongoing cat-and-mouse game between software developers and cyber threats. For small business owners, who often lack the time and resources to stay on top of these issues, leveraging managed WordPress hosting services, setting up automatic updates, and engaging with professional cybersecurity services can provide peace of mind and fortify the security of their digital assets.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.