A vulnerability has been discovered in the Forminator WordPress contact form plugin. A patch has since been released, but more than 400,000 websites are still at risk.

A vulnerability in the Forminator WordPress contact form plugin rated Critical with a CVSS score of 9.8 potentially puts more than 400,000 websites at risk. A patch has now been released for hundreds of thousands of websites using this plugin.

effect and counteraction

Most vulnerabilities cannot be exploited until an attacker has reached the WordPress user or administrator level. However, this is not the case here, attackers do not require authentication. This makes this vulnerability even more dangerous.

Hackers can now upload malicious files to the compromised websites to run code remotely. This is possible because the vulnerability leads to insufficient validation of files. In the worst case, an attacker can take over the entire website.

According to the US National Vulnerability Database and security plugin Wordfence, WordPress grabs update 1.25.0. from Forminator to Vulnerability. Websites that use the builder for contact forms, among other things, should therefore update to this version as soon as possible.

This isn’t the first time a WordPress plugin has had serious problems. Last month, Ultimate Members was also found to contain a critical security vulnerability. Earlier this year, a leak at Jetpack was also proactively fixed by WordPress.