Forminator is a widely-used WordPress plugin designed to help users create forms, polls, and surveys with ease. However, CVE-2024-7052 reveals a critical Stored Cross-Site Scripting (XSS) vulnerability that can be exploited by attackers with editor-level access. This vulnerability allows malicious users to inject JavaScript into form fields, which, when executed, can lead to account takeover and the creation of a backdoor. With over 500,000 active installations, this flaw presents a significant security risk, especially for websites that rely on Forminator to gather sensitive user information.
| CVE | CVE-2024-7052 |
| Plugin | Forminator < 1.38.3 |
| Critical | High |
| All Time | 10 251 886 |
| Active installations | 500 000+ |
| Publicly Published | January 17, 2024 |
| Last Updated | January 17, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7052 https://wpscan.com/vulnerability/4e52cab5-821c-4ca8-9024-67f716cf78fe/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| July 18, 2024 | Plugin testing and vulnerability detection in the Forminator have been completed |
| July 18, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 17, 2024 | Registered CVE-2024-7052 |
Discovery of the Vulnerability
The vulnerability was discovered during a security audit of the Forminator plugin. The issue stems from the “Label” field within the “Name” and “Post Data” blocks of Forminator forms. When these fields are not properly sanitized or validated, attackers can inject malicious JavaScript code into the field, which is stored in the WordPress database and executed when the form is rendered. The flaw occurs because the plugin fails to properly sanitize user inputs, allowing for the insertion of unfiltered JavaScript that can be executed in the user’s browser when they interact with the form.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common and dangerous vulnerabilities in web applications. XSS attacks occur when an attacker injects malicious JavaScript into a webpage, which is then executed by the browser of anyone who views the page. In WordPress, XSS vulnerabilities are often found in plugins that allow user-generated content or interaction with form fields. A real-world example of an XSS vulnerability was found in the WPForms plugin, where attackers could inject malicious scripts into form fields, allowing them to steal session cookies or hijack user accounts. CVE-2024-7052 in Forminator operates similarly, where malicious JavaScript is injected into form fields, leading to the execution of the script when the form is rendered.
Exploiting the XSS Vulnerability
To exploit CVE-2024-7052, an attacker with editor-level privileges:
POC:
Create new Form . Add here "Name" & "Post Data" blocks change "Label" field to "Malicious JS code eval() and etc. For example <img src=x onerror=alert(1)> -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The potential risks associated with CVE-2024-7052 are severe. If successfully exploited, the attacker can hijack an administrator’s session, effectively gaining full control over the WordPress site. Once the attacker has admin access, they can modify content, install malicious plugins, steal sensitive data, or deface the site. In a real-world scenario, an attacker could use this vulnerability to create a backdoor admin account, allowing them to maintain control over the site even if the vulnerability is patched. This poses a significant threat to websites that handle sensitive user information, such as e-commerce or membership sites, where exploitation of the vulnerability could lead to data breaches, financial losses, and reputational damage. Moreover, once the attacker gains control, they can install additional malicious scripts, further compromising the site and its visitors.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-7052, administrators should immediately update the Forminator plugin to the latest patched version once a fix is released. Additionally, administrators should ensure that the unfiltered_html capability is disabled for non-admin users, especially editors, to prevent the injection of malicious JavaScript. Proper sanitization and validation of all user inputs, particularly in form fields like the “Label” field in the “Name” and “Post Data” blocks, is crucial to prevent XSS attacks. Implementing Content Security Policies (CSP) and conducting regular security audits can help detect and block potential XSS vulnerabilities. Limiting user permissions and reviewing user roles periodically can also reduce the likelihood of such attacks. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-7052, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
