CVE-2023-4596
📋 TL;DR
The Forminator WordPress plugin up to version 1.24.6 has a critical file upload vulnerability where unauthenticated attackers can upload arbitrary files to the server. This occurs because file type validation happens after upload in the upload_post_image() function, potentially enabling remote code execution. All WordPress sites using vulnerable Forminator versions are affected.
💻 Affected Systems
- Forminator WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via remote code execution, leading to data theft, malware deployment, or site takeover.
Likely Case
Attackers upload web shells or malicious scripts to gain persistent access and execute arbitrary commands.
If Mitigated
Limited impact if file upload directories have strict permissions and web server configurations prevent script execution.
🎯 Exploit Status
Public exploit code is available, making this easily weaponizable by attackers with minimal technical skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.24.7 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2954409/forminator/trunk/library/fields/postdata.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Forminator and click 'Update Now'. 4. Alternatively, download version 1.24.7+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Forminator Plugin
allTemporarily disable the vulnerable plugin until patching is possible.
wp plugin deactivate forminator
Restrict File Upload Directory Permissions
linuxSet strict permissions on WordPress upload directories to prevent execution of uploaded files.
chmod 644 /path/to/wp-content/uploads/*
chmod 755 /path/to/wp-content/uploads/
🧯 If You Can't Patch
- Disable the Forminator plugin immediately
- Implement web application firewall rules to block file upload requests to Forminator endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Forminator version. If version is 1.24.6 or lower, you are vulnerable.Check Version:
wp plugin get forminator --field=versionVerify Fix Applied:
Verify Forminator version is 1.24.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to Forminator endpoints
- POST requests to /wp-admin/admin-ajax.php with action=forminator_upload_post_image
- Files with suspicious extensions (.php, .phtml, .jsp) in upload directories
Network Indicators:
- HTTP POST requests containing multipart/form-data to Forminator upload endpoints
- Unusual traffic spikes to admin-ajax.php
SIEM Query:
source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" AND post_data CONTAINS "forminator_upload_post_image")🔗 References
- https://plugins.trac.wordpress.org/changeset/2954409/forminator/trunk/library/fields/postdata.php
- https://www.exploit-db.com/exploits/51664
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd87da6-1f4c-4a15-8ebb-6e0f8ef72513?source=cve
- https://plugins.trac.wordpress.org/changeset/2954409/forminator/trunk/library/fields/postdata.php
- https://www.exploit-db.com/exploits/51664
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd87da6-1f4c-4a15-8ebb-6e0f8ef72513?source=cve
