A critical vulnerability has been discovered in the WordPress plugin Forminator, which enables an unauthorized attacker to upload arbitrary files to a server. The initial proof of concept (PoC) was poorly written, the original researcher shared a few unclear screenshots along with a request containing unexplained code. So I wrote a python script to simplify and automate the process.
The vulnerability is caused by an error in the validation process for file types. When attempting to upload a prohibited file format, such as PHP, an alert is generated stating that the “Uploaded file’s extension is not allowed.” Despite this notification, the uploaded file is not blocked but rather, it is successfully uploaded and can be accessed within the “/wp-content/uploads” folder of the site. This vulnerability can lead to remote code execution.
Forminator is currently active on more than 400,000 sites, and with the simplicity of the vulnerability, it is quite easy to gain control over any site running Forminator with file upload enabled.
What do you think?
It is nice to know your opinion. Leave a comment.