Japanese experts have identified 3 flaws that affect the security of WordPress.
JPCERT experts warn about a number of critical vulnerabilities in the Forminator plugin for WordPress, developed by WPMU DEV. The popular plugin is used on more than 500,000 sites and provides the ability to create various forms without much programming knowledge.
Of particular note is the vulnerability with the identifier CVE-2024-28890 (CVSS score: 9.8), which allows attackers to remotely upload malicious code to sites using this plugin. This can lead to leaks of confidential information, changes to the site's content, and even lead to a complete denial of service.
In addition, JPCERT points out other security issues, including the SQL injection vulnerability (CVE-2024-31077 with a score of 7.2) and the cross-site scripting vulnerability (CVE-2024-31857 with a score of 6.1). All these shortcomings allow remote attackers to obtain and modify user information, as well as cause site failures.
At the moment, attacks using the CVE-2024-28890 vulnerability have already been recorded. Also statistics from WordPress.org shows that there are currently more than 500,000 active plugin installations, but only 55.9% of them have now been updated to version 1.29, which fixes the identified vulnerabilities. That is, about 220 thousand sites are still vulnerable to attack.
Developers recommend that site administrators update the plugin to the latest version as soon as possible to protect their resources from possible cyber attacks.
It is noteworthy that at the end of August last year, the Forminator plugin also stirred up the information field due to the vulnerability CVE-2023-4596, which allowed unauthorized attackers to upload malicious files to vulnerable sites. Now, after 8 months, the situation has happened again.
JPCERT experts warn about a number of critical vulnerabilities in the Forminator plugin for WordPress, developed by WPMU DEV. The popular plugin is used on more than 500,000 sites and provides the ability to create various forms without much programming knowledge.
Of particular note is the vulnerability with the identifier CVE-2024-28890 (CVSS score: 9.8), which allows attackers to remotely upload malicious code to sites using this plugin. This can lead to leaks of confidential information, changes to the site's content, and even lead to a complete denial of service.
In addition, JPCERT points out other security issues, including the SQL injection vulnerability (CVE-2024-31077 with a score of 7.2) and the cross-site scripting vulnerability (CVE-2024-31857 with a score of 6.1). All these shortcomings allow remote attackers to obtain and modify user information, as well as cause site failures.
At the moment, attacks using the CVE-2024-28890 vulnerability have already been recorded. Also statistics from WordPress.org shows that there are currently more than 500,000 active plugin installations, but only 55.9% of them have now been updated to version 1.29, which fixes the identified vulnerabilities. That is, about 220 thousand sites are still vulnerable to attack.
Developers recommend that site administrators update the plugin to the latest version as soon as possible to protect their resources from possible cyber attacks.
It is noteworthy that at the end of August last year, the Forminator plugin also stirred up the information field due to the vulnerability CVE-2023-4596, which allowed unauthorized attackers to upload malicious files to vulnerable sites. Now, after 8 months, the situation has happened again.
