Forminator Vulnerability – Unauthenticated Stored Cross-Site Scripting via File Upload – CVE-2024-1794 | WordPress Plugin Vulnerability Report

Plugin Name: Forminator

Key Information:

  • Software Type: Plugin
  • Software Slug: forminator
  • Software Status: Active
  • Software Author: wpmudev
  • Software Downloads: 6,543,744
  • Active Installs: 500,000
  • Last Updated: March 29, 2024
  • Patched Versions: 1.29.1
  • Affected Versions: <= 1.29.0

Vulnerability Details:

  • Name: Forminator <= 1.29.0 - Unauthenticated Stored Cross-Site Scripting via File Upload
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-1794
  • CVSS Score: 7.2 (High)
  • Publicly Published: March 29, 2024
  • Researcher: wesley (wcraft)
  • Description: The Forminator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. 3gpp file) in all versions up to, and including, 1.29.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The Forminator plugin for WordPress has a vulnerability in versions up to and including 1.29.0 that allows unauthenticated attackers to inject arbitrary web scripts via an uploaded file due to insufficient input sanitization and output escaping. This vulnerability has been patched in version 1.29.1.

Detailed Overview:

The Forminator plugin vulnerability was discovered by security researcher wesley (wcraft), who found that the plugin insufficiently sanitized and escaped user input from uploaded files, such as 3gpp files. This oversight makes it possible for unauthenticated attackers to inject malicious scripts that would execute whenever a user accesses a compromised page, potentially leading to sensitive information disclosure or further site compromise. The vulnerability affects all versions of the plugin up to and including 1.29.0.

Advice for Users:

  1. Immediate Action: Update the Forminator plugin to version 1.29.1 or later to ensure protection against this vulnerability.
  2. Check for Signs of Vulnerability: Review your site for any suspicious or unauthorized content, particularly in pages containing forms created with the Forminator plugin.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

Conclusion:

The prompt response from the Forminator plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 1.29.1 or later to secure their WordPress installations.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/forminator

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/forminator/forminator-1290-unauthenticated-stored-cross-site-scripting-via-file-upload

Detailed Report:

In today's digital landscape, website security is of utmost importance. As a website owner, it's crucial to stay informed about potential vulnerabilities that could compromise your site's integrity and put your users' data at risk. A recent vulnerability discovered in the popular Forminator plugin for WordPress serves as a stark reminder of the need for vigilance and timely updates.

About the Forminator Plugin

The Forminator plugin, developed by wpmudev, is a widely-used form creation tool for WordPress websites. With over 6.5 million downloads and 500,000 active installations, it's a popular choice for businesses looking to create custom forms, quizzes, and polls.

The Vulnerability: CVE-2024-1794

Security researcher wesley (wcraft) discovered a severe vulnerability in the Forminator plugin, identified as CVE-2024-1794. This vulnerability, present in all versions up to and including 1.29.0, allows unauthenticated attackers to inject malicious scripts into pages containing forms created with the plugin due to insufficient input sanitization and output escaping.

The vulnerability has a CVSS score of 7.2, classifying it as a high-risk issue. It was publicly disclosed on March 29, 2024, and a patch was promptly released in version 1.29.1.

Risks and Potential Impacts

If left unpatched, the Forminator vulnerability could have serious consequences for affected websites:

  1. Sensitive Data Theft: Attackers could inject scripts to steal sensitive user information submitted through compromised forms.
  2. Website Defacement: Malicious scripts could be used to deface websites, damaging the brand's reputation.
  3. Unauthorized Access: In severe cases, attackers might gain unauthorized access to the site's backend, compromising the entire website.

How to Remediate the Vulnerability

To protect your WordPress site from this vulnerability, follow these steps:

  1. Update Immediately: Update the Forminator plugin to version 1.29.1 or later, which includes a patch for this vulnerability.
  2. Review Your Site: Check your website for any signs of compromise, such as suspicious content or unauthorized changes.
  3. Consider Alternatives: If you're concerned about the plugin's security, consider using alternative form creation tools.
  4. Stay Updated: Ensure that all your WordPress plugins and themes are always up to date to minimize security risks.

Previous Vulnerabilities

It's worth noting that the Forminator plugin has had a history of vulnerabilities. Since February 2019, 14 vulnerabilities have been discovered in the plugin, emphasizing the importance of regular updates and staying informed about potential security issues.

The Importance of Staying Vigilant

As a small business owner, managing a WordPress website can be challenging, especially when it comes to staying on top of security vulnerabilities. However, neglecting website security can have dire consequences, ranging from data breaches to loss of customer trust and damage to your brand's reputation.

To ensure your website remains secure, it's essential to prioritize regular updates, keep an eye out for vulnerability reports, and consider seeking professional help if you're unsure about managing your site's security. By taking proactive steps and staying informed, you can protect your website, your users' data, and your business from potential threats.

Remember, investing in website security is investing in the long-term success of your online presence. Don't wait until it's too late – take action today to keep your WordPress site safe and secure.

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

Forminator Vulnerability – Unauthenticated Stored Cross-Site Scripting via File Upload – CVE-2024-1794 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment