WordPress Plugin Vulnerabilities

Forminator < 1.29.0 - Unauthenticated Arbitrary File Upload

Description

The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.28.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
forminator
Fixed in 1.29.0

References

CVE
CVE-2024-28890
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f58d5464-b12d-4d01-985a-68854b0b2fdd

Miscellaneous

Original Researcher
hibiki moriyama
Verified
No
WPVDB ID
fbbd65de-1aba-4f31-9cc6-0397983638d3

Timeline

Publicly Published
2024-04-18 (about 1 year ago)
Added
2024-04-24 (about 1 year ago)
Last Updated
2024-04-24 (about 1 year ago)

Other

Published
Title
Published
2025-07-23
Title
WPBookit < 1.0.7 - Unauthenticated Arbitrary File Upload via image_upload_handle Function
Published
2016-03-11
Title
Beauty & Clean Theme 1.0.8 - Arbitrary File Upload
Published
2025-08-27
Title
Pin WP < 7.2 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2015-07-06
Title
ACF Frontend Display <= 2.0.6 - Arbitrary File Upload
Published
2025-07-03
Title
Download Plugin < 2.2.9 - Authenticated (Administrator+) Arbitrary File Upload