CVE-2024-28890: Incsub Forminator File Upload Vulnerability

CVE-2024-28890 Overview

CVE-2024-28890 is an unrestricted upload of file with dangerous type vulnerability affecting the Forminator WordPress plugin prior to version 1.29.0. This vulnerability allows remote attackers to upload files with dangerous types to the server, potentially leading to unauthorized access to sensitive information, website defacement, or denial-of-service conditions.

Critical Impact

Remote attackers can exploit this vulnerability to upload malicious files, access sensitive server data, modify website content, or cause service disruption on WordPress sites running vulnerable versions of Forminator.

Affected Products

• Incsub Forminator plugin versions prior to 1.29.0
• WordPress sites using the free version of Forminator
• All platforms running vulnerable Forminator installations

Discovery Timeline

• 2024-04-23 - CVE-2024-28890 published to NVD
• 2025-04-04 - Last updated in NVD database

Technical Details for CVE-2024-28890

Vulnerability Analysis

This vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The Forminator plugin fails to properly validate and restrict the types of files that can be uploaded through its form submission functionality. This allows attackers to bypass intended security controls and upload potentially malicious files to the web server.

When exploited, attackers can leverage this file upload weakness to place executable scripts or other dangerous file types on the server. The impact extends across three key security domains: confidentiality (accessing sensitive files on the server), integrity (altering the site using the plugin), and availability (causing denial-of-service conditions).

Root Cause

The root cause of this vulnerability lies in insufficient file type validation within the Forminator plugin's upload handling mechanism. The plugin does not adequately restrict or sanitize uploaded file types, allowing attackers to upload files that should be blocked by security controls. This implementation gap enables dangerous file types to be stored on the server, which can then be accessed or executed by the attacker.

Attack Vector

The attack requires local access according to the CVSS vector classification. An attacker with low privileges can exploit this vulnerability without user interaction. The exploitation path involves submitting a form with a malicious file attachment that bypasses the plugin's inadequate file type restrictions.

The vulnerability allows attackers to:

1. Upload files with dangerous extensions or content types
2. Access the uploaded files on the server
3. Leverage the uploaded content to read sensitive data, modify website content, or disrupt service availability

For detailed technical information about the exploitation mechanics, refer to the JVN Security Advisory JVN50132400.

Detection Methods for CVE-2024-28890

Indicators of Compromise

• Unexpected or suspicious files appearing in WordPress upload directories
• File extensions that don't match expected form submission types (e.g., .php, .phtml, .asp files)
• Unusual HTTP requests targeting Forminator form endpoints with file attachments
• Web shell activity or unauthorized file access patterns in server logs

Detection Strategies

• Monitor WordPress upload directories for newly created files with executable extensions
• Implement web application firewall (WAF) rules to detect suspicious file upload attempts
• Review Forminator form submission logs for anomalous file upload activity
• Scan for known web shell signatures in upload directories
• Enable file integrity monitoring on WordPress installations

Monitoring Recommendations

• Configure real-time alerts for file creation events in WordPress directories
• Implement logging for all form submissions containing file attachments
• Set up automated scans for malicious file patterns in upload folders
• Monitor server resource utilization for signs of denial-of-service activity

How to Mitigate CVE-2024-28890

Immediate Actions Required

• Update Forminator plugin to version 1.29.0 or later immediately
• Audit existing upload directories for any suspicious or unexpected files
• Review server access logs for signs of exploitation attempts
• Consider temporarily disabling file upload functionality in Forminator forms until patched
• Implement additional file type restrictions at the web server level

Patch Information

The vulnerability has been addressed in Forminator version 1.29.0. Site administrators should update to this version or later through the WordPress plugin management interface or by downloading directly from the WordPress Plugin Page. Additional security resources are available from WPMU DEV.

Workarounds

• Restrict file upload functionality in Forminator forms until the patch is applied
• Implement server-level file type restrictions using .htaccess or web server configuration
• Deploy a Web Application Firewall (WAF) with file upload inspection rules
• Configure the server to prevent execution of uploaded files in upload directories
• Limit upload directory permissions to prevent file execution

# Apache .htaccess configuration to prevent script execution in upload directories
# Add to the uploads directory
<Files *>
    SetHandler none
    SetHandler default-handler
    Options -ExecCGI
    RemoveHandler .php .phtml .php3 .php4 .php5 .php7 .phps .cgi .pl .asp .aspx .shtml .htm .html .py .rb
</Files>

# Alternative: Deny direct access to dangerous file types
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|cgi|pl|asp|aspx|py|rb)$">
    Require all denied
</FilesMatch>