A major vulnerability affecting the Forminator WordPress Contact Form plugin up to and including version 1.24.6 was disclosed by the U.S. Government’s National Vulnerability Database (NVD).
According to the warning, malicious files can be uploaded to websites by unauthenticated attackers, which “may make remote code execution possible.”
On a scale of one to 10, with 10 being the most serious vulnerability level, the vulnerability score rating is 9.8, with 1 being the least vulnerable.
Potential For Unauthorised Attacks
In order to exploit many vulnerabilities, an attacker typically has to be a WordPress user or higher. For instance, although specific vulnerabilities are accessible to users with the subscriber user level. Others require the contributor or admin level to be exploited.
This vulnerability is especially concerning because it enables unauthenticated attackers. Those with no user level at all to successfully hijack the website.
The attacker can upload an arbitrary file, which refers to any kind of file, such as a malicious script. This is another reason why this vulnerability is rated 9.8 on a scale of 1 to 10 (critical).
Execution of Remote Code
An exploit that allows the attacker to remotely execute malicious code on the targeted website. From another computer is known as a remote code execution (RCE) vulnerability. An entire site takeover could cause more harm than this kind of hack.
Contact Forms Must Be Strictly Controlled
WordPress plugins that permit logged-in or anonymous users to upload anything. Including text or photos, must have a method to restrict what can be uploaded. Because they allow public feedback, contact forms need to be particularly secure.
Suggested:
WordPress Now Offers A Content Generator Powered By OpenAI, With Free Access.
WordPress has made a Free Course on Creating and Monetizing Membership Websites Available.
WordPress in Discussion Towards AI Integration.
YouTube Lowers Restrictions For Joining the Partner Program in More Nations