CVE-2024-10402 – The Forminator WordPress plugin has an authoriz... (How to Fix)

Q: What is the severity of CVE-2024-10402?

CVE-2024-10402 has a CVSS score of 7.5 (HIGH). The Forminator WordPress plugin has an authorization bypass vulnerability that allows authenticated users with Contributor-level access or higher to create/edit forms and modify user registration forms to set default roles to Administrator. This affects all WordPress sites using Forminator versions up to 1.35.1.

📋 TL;DR

The Forminator WordPress plugin has an authorization bypass vulnerability that allows authenticated users with Contributor-level access or higher to create/edit forms and modify user registration forms to set default roles to Administrator. This affects all WordPress sites using Forminator versions up to 1.35.1.

💻 Affected Systems

Products:

Forminator Forms – Contact Form, Payment Form & Custom Form Builder for WordPress

Versions: All versions up to and including 1.35.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with Forminator plugin installed and at least one user with Contributor role or higher.

📦 What is this software?

Forminator Forms by Wpmudev

View all CVEs affecting Forminator Forms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with minimal permissions can create administrator accounts, leading to complete site compromise, data theft, malware injection, and privilege escalation.

🟠

Likely Case

Malicious contributors or authors modify registration forms to create backdoor admin accounts, gaining full control over the WordPress installation.

🟢

If Mitigated

With strict user role management and monitoring, impact is limited to unauthorized form modifications by trusted users.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.35.2

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3169243/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Forminator plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.35.2+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Temporarily disable plugin

all

Deactivate Forminator plugin until patched

wp plugin deactivate forminator

Restrict user roles

all

Remove Contributor and Author roles from untrusted users

wp user list --role=contributor --field=ID
wp user set-role <user_id> subscriber

🧯 If You Can't Patch

Implement strict user role management - only grant Contributor+ roles to absolutely trusted users
Enable comprehensive logging and monitoring of form modifications and user role changes

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Forminator → Version. If version is 1.35.1 or lower, you are vulnerable.

Check Version:

wp plugin get forminator --field=version

Verify Fix Applied:

Confirm Forminator version is 1.35.2 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unauthorized form creation/modification by non-admin users
User registration forms being modified to set default role to administrator
New administrator accounts created unexpectedly

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with forminator-related actions from non-admin users

SIEM Query:

source="wordpress.log" AND ("forminator" AND ("create_form" OR "update_form" OR "user_registration")) AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2024-10402

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: October 26, 2024

Last Updated: February 5, 2025

🔗 References

https://plugins.trac.wordpress.org/changeset/3169243/ Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/be1d9d2b-cbdf-4d62-85fe-2616eaf02848?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10402, you might also want to check these: