MalCare blocked 1000s of attacks that attempted to exploit the recently discovered Forminator plugin vulnerability. Our firewall protected sites for 4 weeks, even before the vulnerability was disclosed, and more critically before it was patched. MalCare’s proactive threat detection setup is designed to ensure your WordPress site remains secure 24/7.

Introduction

From August 6 to September 1, 2023, MalCare blocked over 1000s of attempts to attack our customer sites using the Forminator plugin vulnerability. These attacks originated from multiple IPs based all over the world.  Once the vulnerability was disclosed publicly, we saw a sharp spike in attack numbers. 

Important: Please update the plugin if you haven’t already done so, as this is a high severity vulnerability. 

Here are MalCare firewall stats for these attacks (as of September 1, 2023):

Fig. 1: Pie chart showing the percentage of attacks blocked from various IP addresses

Fig. 2: Line chart showing the spread of attacks blocked per day over August and September 2023

The gravity of these attacks is such that even one request could compromise your entire WordPress site. Hence, we reiterate please update the Forminator plugin on your site immediately since this is a high-severity vulnerability.

What is the Forminator WordPress plugin vulnerability?

Plugin information

• Vulnerable plugin version: v1.24.x and earlier
• Patch release version: v1.25.x and newer

About the vulnerability

Forminator is one of the most widely used plugins in the WordPress community. It is an easy-to-use plugin that can create contact forms, order forms, payment forms, feedback widgets, interactive polls with real-time results, and more.

With more than 400,000 active installs, Forminator’s widespread usage means that nearly half a million sites were at risk of being hacked. The vulnerability could have been used to upload arbitrary files on a target website’s server, enabling remote code execution (RCE).

The US government’s National Vulnerability Database (NVD) released a notice (CVE-2023-4596) warning users of all Forminator versions up to and including v1.24.x. Moreover, the security plugin Wordfence has rated this vulnerability 9.8/10, as well.

The vulnerability has now been fixed with the release of Forminator v1.25.0 on August 16, 2023.

Fig.3: A snapshot of the vulnerable code within the Forminator plugin

How is your site at risk?

If your WordPress site uses the Forminator plugin with a version earlier than v1.25, it could expose your site to RCE by malicious actors. In an RCE attack, attackers can access your site remotely and make changes to it. These changes can involve running code that could modify all information going in and out of your site, installing ransomware on unsuspecting users’ systems, slowing down your site by hogging up the available memory space on your host server, and much more.

It means that sensitive information like usernames, passwords, card details, social security numbers, etc. can be easily accessed by the attackers. Moreover, a slow and malware-ridden site means you will lose users and their trust and, consequently, search rankings. The wide gamut of malicious activities possible through RCE makes it a critical security issue to address immediately.

Who discovered this vulnerability?

Turkish security researcher Mehmet Kelepçe discovered this vulnerability on July 20, 2023. Subsequently, WPMUDev, the developer of the Forminator plugin, was informed and a patch was released for all users (free and paid) to address this vulnerability on August 16, 2023.

Fig. 4: Changelog for Forminator; the current version is v1.25.2

How important is a WordPress firewall?

Addressing plugin vulnerabilities is of paramount importance due to their potential to wreak havoc on thousands of sites all over the world. Discovering them, however, is a whole other gamble.

These vulnerabilities are not always discovered by security researchers, unlike in this case. A responsible security researcher quickly informs the plugin developer of the issue so that it can be corrected at the earliest, either by issuing a patch or changes in the backend. However, if the vulnerability is discovered by hackers, they could use it for all the wrong reasons.

Now, if you think that using a generic firewall on your site should be enough to guard against these vulnerabilities and the attacks that stem from them, think again! While most firewalls may block some remote connections, this is not enough. These vulnerabilities are highly specific to WordPress, and hence WordPress-specific firewall rules are required, which generic firewalls do not possess.

This is where MalCare comes in. MalCare’s advanced heuristics help its WordPress firewall learn from previous attacks and smartly prevent future ones. It also proactively identifies malicious IPs and blocks them on all WordPress sites protected by MalCare. This is how MalCare stopped over 2,000 attacks stemming from this vulnerability even before it was patched.

What are the other ways in which MalCare protects WordPress sites?

A robust firewall is only one of the many ways MalCare protects your WordPress website. Some of the other ways in which it secures your site are:

• MalCare’s strong malware scanner and removal utility scans your website and its database to weed out any malware that may have been inserted during an attack.
• MalCare is a proactive security plugin. It alerts when vulnerabilities are discovered in installed plugins and themes, enabling you to act quickly to secure your site.
• It provides powerful bot protection and keeps away bad bots that eat away at your website’s resources, leading to an overall faster site.
• It also comes with the convenience of automatic, offsite backups for your site so you can run it without any worries.