A Severe Vulnerability in the Forminator Plugin Affects over 300,000 WordPress Sites

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)
Forminator Plugin Vulnerabilities

According to a recent cybersecurity finding, more than 50,000 websites that use the popular WordPress plugin Forminator are vulnerable to severe security vulnerabilities.

Website administrators who use the Forminator plugin on WordPress must update their sites as soon as possible with the most recent version of the plugin. This is because of many flaws in the Forminator plugin that might have caused malicious file uploads and site crashes on the intended websites.

Recommended: WordPress Google Fonts Plugin Vulnerability: Impacts Up to +300,000 Sites

The vulnerability notes portal (JVN) of Japan’s CERT released an alert on Thursday, notifying of the occurrence of a significant severity flaw (CVE-2024-28890, CVSS v3: 9.8) in Forminator, which might enable a remote attacker to upload malware to websites that use the plugin.

Attackers could carry out various malicious activities with the help of these vulnerabilities, such as stealing confidential information or taking total control of compromised websites.

What is the Forninator Plugin?

A popular WordPress plugin, Forminator, generates and manages several forms on websites, such as surveys, quizzes, and contact forms.

Furthermore, the plugin integrates with several other services, including AWeber, Google Sheets, Zapier, Trello, MailChimp, and Zapier. This indicates that you can use Forminator to collect emails, data, and nearly any other information.

Website administrators prefer it because of its easy-to-use drag-and-drop interface and compatibility features with CRMs and email marketing platforms.

 However, because of its widespread popularity, fraudsters also find it an attractive target.

Technical Specifics of the Vulnerabilities

Three distinct vulnerabilities affected the WordPress plugin Forminator, according to a recent JPCERT/CC warning. Malicious file uploads, access to stored data, and website crashes might all result from abusing these vulnerabilities.

CVE-2024-28890 (CVSS 9.8): Unlimited File Upload 

 A vulnerability of significant severity that could allow unlimited file uploads. Using the vulnerability, a hacker might get access to private information, upload malicious files to the intended server, and even change the plugin to cause a denial of service (DoS). This could result in the website being taken over and unauthorized code execution.

 This vulnerability’s critical severity is indicated by its 9.8 CVSS score.

CVE-2024-31077 (CVSS 7.2): SQL Injection 

Attackers with administrator rights can use this vulnerability to run any SQL query in the website’s database.

Another vulnerability where DoS attacks might be possible is the target database’s information, which an attacker could access or modify because of this SQL injection vulnerability. 

The CVSS score for this vulnerability is 7.2.

CVE-2024-31857 (CVSS 6.1): Cross-Site Scripting (XSS)

 A cross-site scripting (XSS) vulnerability that a hacker could use to change the content of the target website and get user data.

Using this vulnerability, attackers can insert malicious HTML or script code into user-viewed sites. 

This could result in stealing session tokens, cookies, or other private data the user’s browser manages.  

The CVSS score for the XSS flaw is 6.1.

Remediation Approaches 

It is recommended that site administrators who use the Forminator plugin update it as soon as possible to version 1.29.3, which fixes all three vulnerabilities.  

Roughly 180,000 site administrators have downloaded the plugin since the security update was released on April 8, 2024, according to statistics provided by WordPress.org. Even if every download was for the most recent version, 320,000 websites are still open to intrusions.

The following steps should be taken right now by website administrators who use the Forminator plugin to mitigate these risks:

Constant Monitor and Review: 

Audit and monitor the website often for any unauthorized modifications or unusual activity. Use various security methods, tools, preventive measures, and plugins to improve monitoring approaches.

Delete Unused Plugins: 

Always delete and deactivate any plugins you won’t use.

Update the Plugin: 

Make sure that Forminator is updated to the most recent version as soon as possible.

Alert the Customers: 

Make sure users know the potential risks of phishing and the different malicious approaches that could be used to exploit these vulnerabilities.

Recommended: Most Common WordPress Security Issues & Solutions


WordPress security should be given top priority on any website; having professional guidance at your fingertips could potentially make all the difference.

Experienced WordPress support services can help you identify any setup vulnerabilities and ensure that everything is secure to protect your information. Our comprehensive strategy for security includes every aspect, from keeping an eye on website activity to identifying malicious code and countering brute force attacks. 

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.