Should I be worried?
Well, this vulnerability is a biggy, with over 400,000 installations and allowing arbitrary file uploads, there will be a lot of compromised WordPress sites that use the affected versions of this plugin in the following months. According to the CVE Versions including 1.24.6 and below are affected and POC (proof of concept) has just been released.
How does it work?
This Forminator exploit has been rated critical as it can be performed via a remote unauthenticated attack and allow the uploading of malicious files to your WordPress site. Once the nasty file has been uploaded RCE (remote code execution) it allows the attacker free range of your WordPress install, allowing the whole site to be taken over.
This technique is classified by MITRE as T1608.002 (Upload Tool) and is rated a near perfect score (not a good thing in this case) 9.8 out of 10 by WordFence.
Keep updated with the latest from Pipe Ten by subscribing below.
What should I do?
This has been patched in version 1.25.0, not that the changelog makes it clear so it is important for you to update the plugin to the latest version. If you know you’re product is vulnerable and can be used to takeover your whole website, we think it’s important to make sure your users are aware of this and to make sure they know of the severity of the problem. Do you think their changelog makes this clear? https://wordpress.org/plugins/forminator/#developers.
Author: Jamie Moynahan
Jamie is the Support Manager at Pipe Ten, being an integral part of the team for well over 10 years. Jamie is a seasoned expert with the intricacies in the fast changing world of website application hosting. His expansive knowledge of and experience of hosting website applications is instrumental to the entire customer support experience which customers members have come to rely on. Jamie has written and published hundreds of articles about hosting and managing website applications.