Forminator Plugin Flaw Impacts Over 300K WordPress Sites

Bar Refael

April 24, 2024

A critical vulnerability in the Forminator plugin, affecting over 500,000 WordPress sites, has been disclosed by Japan’s CERT. The flaw, identified as CVE-2024-28890 (CVSS v3: 9.8), permits unauthorized file uploads and potential malware installation.

Forminator by WPMU DEV is a versatile WordPress plugin that facilitates the creation of custom forms, including contact forms, feedback forms, quizzes, and surveys. Its functionality is widely utilized across a broad spectrum of WordPress sites due to its user-friendly drag-and-drop interface and robust third-party integrations.


The critical flaw resides in Forminator versions 1.29.0 and earlier, where insufficient file upload validation allows remote attackers to upload and execute arbitrary files. This vulnerability can lead to unauthorized access, data manipulation, and a denial-of-service (DoS) condition on the affected sites.

Additionally, two more vulnerabilities were reported:

  • CVE-2024-31077: A SQL injection vulnerability in versions up to 1.29.3, allowing attackers with admin privileges to execute arbitrary SQL commands.
  • CVE-2024-31857: A cross-site scripting (XSS) flaw in versions up to 1.15.4, enabling attackers to inject malicious HTML or script code.


If exploited, these vulnerabilities could allow attackers to gain control over an affected site, access sensitive information, alter website content, and disrupt service availability.


Administrators are urged to update the Forminator plugin to version 1.29.3 or later, which resolves these security issues. statistics indicate that approximately 180,000 updates have been downloaded since the release of the patch on April 8, 2024. However, an estimated 320,000 sites have not yet implemented the update, leaving them vulnerable to potential attacks.


  • Prompt Updates: Quickly update to the latest version of Forminator and other critical plugins.
  • Minimal Plugin Use: Limit the number of installed plugins to only those necessary for site functionality.
  • Plugin Management: Regularly review and deactivate unused or unnecessary plugins to minimize potential attack vectors.


As of now, there have been no public reports of exploitation concerning CVE-2024-28890. Nonetheless, given the severity and the ease of exploiting this vulnerability, the risk remains significant for sites delaying the necessary updates.

Stay vigilant and ensure your WordPress installations and plugins are up-to-date to defend against these and other emerging threats.

Stay Secure. Stay Informed.

OP Innovate Research Team.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Get OP Innovate CTI Alerts

Leave your email and get critical updates and alerts straight to your inbox