Forminator WordPress Plugin Vulnerability Affects Up To 400,000+ Websites

Validation is preferred over sanitization because validation is more specific.

CVE-2023-4596 Detail

According to National Vulnerability Database and the Wordfence WordPress security company, the issue has been addressed in version 1.25.0.

“The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6.

A Remote Code Execution (RCE) vulnerability is a type of exploit where the attacker can execute malicious code on the attacked website remotely from another machine.

What makes this vulnerability particularly worrisome is that it allows unauthenticated attackers, those with no user level at all, to successfully hack the site.

The developer page advises:

The vulnerability score rating is 9.8, on a scale of one to ten, with ten being the most severe vulnerability level.

Screenshot Of Wordfence Advisory

Image showing that the Forminator WordPress Plugin vulnerability is rated 9.8Screenshot from Wordfence.com

Vulnerability To Unauthenticated Attackers

The WordPress developer page for plugin security (Sanitizing Data) explains how to properly handle uploads from untrusted sources.

“Update to version 1.25.0, or a newer patched version…”

Forminator Plugin Changelog

For example, some vulnerabilities are available to those with a subscriber user level, others require contributor or admin level in order to perform an attack.

WordPress plugins that allow a registered or unauthenticated users to upload anything, even text or images, must have a way to limit what can be uploaded.

Forminator <= 1.24.6 – Unauthenticated Arbitrary File Upload

Unauthenticated attackers can upload malicious files to websites which, according to the warning, “may make remote code execution possible.”

This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.”

Remote Code Execution

WordPress Plugin Forminator 1.24.6 – Unauthenticated Remote Command Execution

A second reason why this vulnerability is rated 9.8 on a scale of 1 – 10 (critical) is that the attacker can upload an arbitrary file, which means any kind of file, like a malicious script.

WordPress publishes coding standards for publishers to know how to prevent these kinds of things.

These kinds of vulnerabilities are not particular to WordPress, they can happen to any Content Management System.

Sanitizing input is the process of securing/cleaning/filtering input data.

“Untrusted data comes from many sources (users, third party sites, even your own database!) and all of it needs to be checked before it’s used.

Wordfence recommends updating to the latest version:

Read the Wordfence advisory on the Forminator WordPress Contact Form Plugin Vulnerability

It’s a good practice to let your users know that a software update contains a fix (called a patch) for a vulnerability.

This lets users know that a particular update is urgent so that they can make an informed decision about updating their software.

Read the official National Vulnerability Database advisory:

Featured image by Shutterstock/ViDI Studio



منبع

Forminator Contact Form for WordPress Plugin changelog

Sources:

The National Vulnerability Database (NVD) describes the vulnerability:

Read the Exploit Database report on the Forminator Contact Form vulnerability

The U.S. Government National Vulnerability Database (NVD) published notice of a critical vulnerability affecting the Forminator WordPress Contact Form plugin up to an including version 1.24.6.

But when “more specific” isn’t possible, sanitization is the next best thing.”

Has the Forminator Contact Form Plugin Fixed The Vulnerability?

Judge for yourself whether the Forminator changelog offers sufficient notification to their users about a vulnerability patch:

Screenshot of Forminator Changelog

Contact Forms must be especially locked down because they accept input from the public.

RCE Not Specific To WordPress

The damage from this kind of exploit can be as severe as a full site takeover.

Contact Forms Must Be Locked Down

Otherwise, how would a software user know that an update is urgent without the changelog informing them, right?

Many vulnerabilities tend to require an attacker to first attain a WordPress user level before they can launch an attack.

A changelog is a record of all the changes made to a software. It allows users to read it and determine whether or not they want to update their software.