Question 1

What is the Forminator plugin used for?

Accepted Answer

What is the Forminator plugin used for?

Forminator is a versatile WordPress plugin designed to help users create various types of forms, including contact forms, payment forms, and custom forms. It also supports surveys and quizzes, making it a comprehensive tool for managing form-based data on WordPress sites. Its ease of use and rich feature set have made it popular among WordPress users.

Question 2

What is the specific vulnerability in Forminator?

Accepted Answer

What is the specific vulnerability in Forminator?

The vulnerability, identified as CVE-2024-7389, is a sensitive information exposure flaw related to the HubSpot integration in the Forminator plugin. It allows unauthenticated attackers to extract the HubSpot developer API key, which can be used to make unauthorized changes to the integration or expose personally identifiable information (PII) from users. This vulnerability affects all versions up to and including 1.29.1.

Question 3

How severe is the Forminator vulnerability?

Accepted Answer

How severe is the Forminator vulnerability?

The vulnerability has a CVSS score of 7.5, indicating a high severity level. This score reflects the significant risk it poses, as it allows unauthorized access to sensitive information without needing authentication. The high severity highlights the urgent need for users to update their plugins to the patched version.

Question 4

Who discovered the vulnerability in Forminator?

Accepted Answer

Who discovered the vulnerability in Forminator?

The vulnerability was discovered by Sean Murphy, a researcher who identified the issue with the HubSpot integration in the Forminator plugin. His findings were publicly disclosed on August 1, 2024, prompting a swift response from the plugin developers. His work has been crucial in ensuring the vulnerability was addressed promptly.

Question 5

Which versions of Forminator are affected by this vulnerability?

Accepted Answer

Which versions of Forminator are affected by this vulnerability?

All versions of Forminator up to and including 1.29.1 are affected by this vulnerability. Users running these versions are at risk and should update to the latest version immediately. The patched version, 1.29.2, was released on August 6, 2024, to address this issue.

Question 6

What steps should I take if I am using an affected version of Forminator?

Accepted Answer

What steps should I take if I am using an affected version of Forminator?

Users should update to version 1.29.2 immediately to mitigate the risk. Additionally, it is important to inspect your site for any signs of unauthorized changes or exposed personally identifiable information (PII), especially within the HubSpot integration. Regular security checks and updates are crucial to maintaining site security.

Question 7

Are there any alternative plugins to Forminator that I can consider?

Accepted Answer

Are there any alternative plugins to Forminator that I can consider?

While updating to the latest version of Forminator is recommended, users might also consider exploring alternative plugins that offer similar functionality. Plugins such as WPForms or Gravity Forms can be viable options. Evaluating different plugins can provide additional security and peace of mind.

Question 8

What is the importance of keeping WordPress plugins updated?

Accepted Answer

What is the importance of keeping WordPress plugins updated?

Regularly updating WordPress plugins is essential to protect against newly discovered vulnerabilities. Updates often include security patches that address potential threats, helping to safeguard your site from attacks. Keeping plugins updated ensures your website remains secure and functional.

Question 9

How can I stay informed about security vulnerabilities in WordPress plugins?

Accepted Answer

How can I stay informed about security vulnerabilities in WordPress plugins?

Staying informed about security vulnerabilities can be achieved by following reputable cybersecurity blogs and subscribing to updates from WordPress and plugin developers. Using security plugins that alert you to potential issues is also beneficial. Regularly checking resources like Wordfence can help you stay updated on the latest threats.

Question 10

What should I do if I suspect my website has been compromised?

Accepted Answer

What should I do if I suspect my website has been compromised?

If you suspect your website has been compromised, take immediate action by updating all plugins and themes to their latest versions. Conduct a thorough security scan to identify and remove any malicious code. Consulting with a cybersecurity professional for a comprehensive assessment and remediation is also advisable.

Sean Murphy

Forminator – Contact Form, Payment Form & Custom Form Builder Vulnerability – HubSpot Developer API Key Sensitive Information Exposure – CVE-2024-7389 | WordPress Plugin Vulnerability Report

AMP for WP Vulnerability– Accelerated Mobile Pages – Authenticated Arbitrary Post Deletion via amppb_remove_saved_layout_data – CVE-2024-1043 |WordPress Plugin Vulnerability Report

Recent Blog Posts

LiteSpeed Cache Vulnerability – Unauthenticated Sensitive Information Exposure via Log Files – CVE-2024-44000 | WordPress Plugin Vulnerability Report

Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters – CVE-2024-4401, CVE-2024-7122 | WordPress Plugin Vulnerability Report

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Vulnerability – Authenticated (Contributor+) Information Disclosure – CVE-2024-7418 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy