Forminator
CVE-2024-28890
MEDIUM
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from Vendor (jpcert) · only source for this CVE.
CVSS VectorVendor: jpcert
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Forminator prior to 1.29.0 contains an unrestricted upload of file with dangerous type vulnerability. If this vulnerability is exploited, a remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition.
AnalysisAI
Forminator prior to 1.29.0 contains an unrestricted upload of file with dangerous type vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. Forminator prior to 1.29.0 contains an unrestricted upload of file with dangerous type vulnerability. If this vulnerability is exploited, a remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition. Affected products include: Incsub Forminator. Version information: prior to 1.29.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.
More in Forminator
View allThe Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after
The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including
The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/ad
The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form field
The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a
The Forminator - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Reque
The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary
The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission s
The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high
The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to PHP Object
The Forminator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. Rated high s
Arbitrary file download via path traversal in the Forminator WordPress plugin (WPMU DEV) affects all versions up to and
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today