Hundreds of thousands of WordPress websites are vulnerable to a critical flaw that allows threat actors to upload malware to the site via a bug in a plugin.
As reported by BleepingComputer, Japan’s CERT recently found a critical severity error (9.8) in the Forminator plugin built by WPMU DEV. The flaw, now tracked as CVE-2024-28890, allows threat actors to obtain sensitive information by accessing files on the server.
The researchers also said that the flaw can be used to alter site content, conduct denial-of-service (DoS) attacks, and more.
No evidence of abuse
Forminator is a plugin that allows WordPress operators to add custom contacts, feedback, quizzes, surveys, polls, and payment forms. Everything is drag-and-drop so it’s easy to use, and plays well with many other plugins.
WPMU DEV has addressed the issue and released a patch. Users are advised to apply this and bring their Forminator plugin to version 1.29.3 as soon as possible. At the time of writing, the WordPress.org website shows at least 500,000 active downloads, of which 56% are using the latest version. That leaves at least 230,000 websites that may still be vulnerable.
So far, there is no evidence that CVE-2024-28890 is being exploited in the wild, but given its destructive potential and ease of exploitation, it is likely that exploitation is only a matter of time.
While WordPress itself is generally considered a secure platform, its various plugins and add-ons present a unique opportunity for hackers looking for a way in. As a general rule of thumb, WordPress administrators are advised to keep the platform, plugins, themes, and add-ons updated at all times, and to deactivate any add-ons they are not actively using.
WordPress is the world’s number one website building platform, with nearly half of all websites on the Internet powered by the builder.