Security Flaw in WordPress Forminator Plugin Affects Over 600k WordPress Sites

A serious security flaw allows attackers to delete arbitrary files on affected sites, including critical configuration files. According to the WordPress plugin directory, it is active on over 600,000 WordPress websites.

WordPress security plugin Wordfence recently identified a high-severity vulnerability in the widely-used Forminator plugin affecting versions ≤ 1.44.2. This flaw enables unauthenticated attackers to specify arbitrary file paths during form entry deletion, potentially leading to the deletion of vital files like wp-config.php. Such an attack could result in remote code execution or complete site takeover. The vulnerability’s ease of exploitation makes prompt updating crucial.

The vulnerability exploits insufficient validation in the file deletion process (entry_delete_upload_files). Attackers can craft form submissions with file arrays containing arbitrary file paths. When the deletion function runs, it does not verify whether files are within the uploads directory or of a safe type, allowing deletion of any file, including server-critical ones.

After Wordfence reported the vulnerability reported via their Bug Bounty program, an update with a patch was released. The patched version adds validation to ensure only files uploaded via specific fields (upload or signature) within the allowed directory are deleted, preventing malicious path manipulation.

Website owners or administrators utilizing Forminator should update immediately to the latest version, at least 1.44.3 or newer. Learn more about Wordfence’s analysis and findings on their security report.


Comments Section

Leave a Reply

Your email address will not be published. Required fields are marked *


,
Back to Top - Modernizing Tech