Urgent patching alert (CVE-2024-28890) lists critical vulnerabilities in Forminator plugin that affect over 500,000 WordPress sites
: OFFICIAL CVE-2024-28890 PATCHING INFORMATION :
WordPress is one of the most popular content management systems (CMS) in the world, powering millions of websites. Its flexibility, enhanced by thousands of plugins, allows users to create anything from simple blogs to complex e-commerce platforms. However, this flexibility also brings vulnerabilities, as seen in the recent critical security issues identified in the Forminator plugin, liability CVE-2024-28890, used by over 500,000 sites to create forms and surveys.
Overview of Forminator Plugin
Forminator, developed by WPMU DEV, is widely utilized for building custom contact forms, quizzes, surveys, polls, and payment forms. The plugin’s appeal lies in its user-friendly drag-and-drop interface, robust integration capabilities, and versatility. Despite these benefits, recent findings have exposed severe security flaws that could potentially compromise a vast number of websites.
Critical Vulnerabilities Exposed
On Thursday, Japan’s Computer Emergency Response Team (CERT), JPCERT, raised the alarm about a critical severity flaw in Forminator, identified as CVE-2024-28890, with a CVSS v3 score of 9.8. This flaw allows unrestricted file uploads, enabling attackers to upload and execute malicious files on websites’ servers using the compromised versions of the plugin.
The security bulletin detailed three specific vulnerabilities:
- CVE-2024-28890: This is the most severe issue, involving insufficient validation of files during the upload process. It allows remote attackers to upload and execute malicious files, potentially taking over the site or its server.
- CVE-2024-31077: An SQL injection vulnerability that could allow attackers with admin privileges to execute arbitrary SQL queries. This flaw could lead to data theft, website defacement, or complete database compromise.
- CVE-2024-31857: A cross-site scripting (XSS) flaw that permits attackers to inject arbitrary HTML and script code into the pages viewed by users. This can be used to steal cookies and session tokens or even redirect users to malicious websites.
Immediate Actions Required
In response to these findings, the developers quickly released an updated version of the plugin (1.29.3) that addresses these vulnerabilities. WordPress site administrators are urged to update to the latest version immediately to protect their sites from potential attacks.
Despite the release of the patch on April 8, 2024, statistics from WordPress.org indicate that approximately 180,000 site administrators have updated their plugins. This leaves an estimated 320,000 sites still vulnerable to these severe security risks.
Why the Urgency Behind CVE-2024-28890?
The primary concern with CVE-2024-28890 is not just its high severity rating, but also the ease with which it can be exploited. The requirements to leverage this vulnerability are minimal, making it accessible to a wide range of attackers, from novices to seasoned cyber criminals.
While there have been no public reports of active exploitation to date, the combination of high severity and easy exploitability creates a ticking time bomb. Site administrators delaying the update increase their risk of falling victim to attacks that could lead to sensitive information theft, website alteration, and even a complete denial-of-service (DoS) condition, rendering the website inoperable.
Best Practices for WordPress Security
The vulnerabilities in Forminator serve as a critical reminder of the importance of cybersecurity vigilance in managing a WordPress site. Here are some key recommendations to enhance security:
- Minimal Plugin Use: Limit the number of plugins installed. More plugins mean more potential entry points for attackers.
- Regular Updates: Always update plugins to their latest versions as soon as updates are available. Developers frequently update software to patch known vulnerabilities.
- Deactivate Unused Plugins: If a plugin is not actively needed, it is wise to deactivate or uninstall it to reduce the attack surface.
- Regular Backups: Maintain regular backups of your website. In the event of a security breach, backups ensure that you can restore your site to its pre-attack state.
- Security Plugins: Consider installing security-specific plugins that offer features like firewalls, site scanning, and real-time monitoring for added protection.
- Strong Password Policies: Enforce strong password policies for all users, especially administrators. Use multi-factor authentication to add an additional layer of security.
- General Network Protection: Adopting a solution to mitigate the execution of malicious files by focusing on real-time application behavior monitoring and enforcement. By using machine learning cybersecurity tools and behavioral analytics, it is possible to use real-time application visibility to detect unusual activities or deviations from normal operational patterns. This enables security teams to identify potentially malicious file executions before they can impact the system. Additionally, security policies should be enforced at the application level, automatically intervening to stop or contain suspicious activities. This proactive approach helps prevent unauthorized changes or the execution of harmful files, thus safeguarding sites and their servers from potential takeover.
In 2024 we’ve already witnessed a rise in zero-day threats and vulnerabilities, with the TeamCity vulnerability, the ConnectWise ScreenConnect vulnerability, CVE-2023-48788, CVE-2024-21412, CVE-2024-22245, CVE-2024-21413, and CVE-2024-2879 being exploited in the wild. The discovery of these new vulnerabilities within the Forminator plugin further shows the ongoing risks associated with using third-party extensions on any platform. WordPress site administrators can significantly mitigate these risks by adhering to security best practices, regularly updating systems, and staying ahead of potential threats with preventative practices—like the use of microsegmentation tools and taking precautions in preventing zero-day attacks. Immediate action to update affected plugins and rigorous adherence to comprehensive security strategies are essential steps in protecting your digital assets in an increasingly hostile cyber environment.
: OFFICIAL CVE-2024-28890 PATCHING INFORMATION :