Login Sign Up

CVE-2024-31077

7.2 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Forminator WordPress plugin allows remote authenticated attackers with administrative privileges to execute arbitrary SQL commands. Attackers can read, modify, or delete database content, potentially leading to data theft, site defacement, or denial of service. All WordPress sites using vulnerable Forminator versions are affected.

💻 Affected Systems

Products:
  • Forminator WordPress Plugin
Versions: All versions prior to 1.29.3
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to have administrative WordPress privileges. Plugin must be installed and active.

📦 What is this software?

Forminator by Incsub

View all CVEs affecting Forminator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including user credential theft, site takeover, data destruction, and persistent backdoor installation.

🟠

Likely Case

Data exfiltration of sensitive information (user data, form submissions), site defacement, or temporary DoS through database manipulation.

🟢

If Mitigated

Limited impact if administrative accounts are properly secured with strong credentials and multi-factor authentication.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires administrative credentials but SQL injection is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.29.3

Vendor Advisory: https://wordpress.org/plugins/forminator/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Forminator plugin
4. Click 'Update Now' if available
5. Alternatively, download version 1.29.3+ from WordPress repository and manually update

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable Forminator plugin until patched

wp plugin deactivate forminator

Admin Access Restriction

all

Temporarily restrict administrative access to trusted IPs only

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) with SQL injection rules
  • Enforce strong administrative credentials and multi-factor authentication

🔍 How to Verify

Check if Vulnerable:

Check Forminator plugin version in WordPress admin panel under Plugins → Installed Plugins

Check Version:

wp plugin get forminator --field=version

Verify Fix Applied:

Confirm Forminator version is 1.29.3 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed admin login attempts followed by successful login
  • Unexpected database schema changes

Network Indicators:

  • SQL injection patterns in HTTP requests to Forminator endpoints
  • Unusual database connection patterns from web server

SIEM Query:

source="web_server_logs" AND (uri="*forminator*" AND (query="*SELECT*" OR query="*UNION*" OR query="*INSERT*" OR query="*DELETE*"))

📊 Metadata

CVE ID: CVE-2024-31077
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: April 23, 2024
Last Updated: April 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31077, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)