Should I be worried?
Well, this vulnerability is a biggy, with over 400,000 installations and allowing arbitrary file uploads, there will be a lot of compromised WordPress sites that use the affected versions of this plugin in the following months. According to the CVE Versions including 1.24.6 and below are affected and POC (proof of concept) has just been released.
How does it work?
This Forminator exploit has been rated critical as it can be performed via a remote unauthenticated attack and allow the uploading of malicious files to your WordPress site. Once the nasty file has been uploaded RCE (remote code execution) it allows the attacker free range of your WordPress install, allowing the whole site to be taken over.
This technique is classified by MITRE as T1608.002 (Upload Tool) and is rated a near perfect score (not a good thing in this case) 9.8 out of 10 by WordFence.
What should I do?
This has been patched in version 1.25.0, not that the changelog makes it clear so it is important for you to update the plugin to the latest version. If you know you’re product is vulnerable and can be used to takeover your whole website, we think it’s important to make sure your users are aware of this and to make sure they know of the severity of the problem. Do you think their changelog makes this clear? https://wordpress.org/plugins/forminator/#developers.