CVE-2023-4596

Name of the Vulnerable Software and Affected Versions Forminator plugin for WordPress versions up to, and including, 1.24.6

Description The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload post image() function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server, which may make remote code execution possible. The vulnerability affects over 400,000 sites.

Recommendations For Forminator plugin for WordPress versions up to, and including, 1.24.6: Update to a version later than 1.24.6 to resolve the issue. As a temporary workaround, consider disabling the upload post image() function until a patch is available. Restrict access to the upload functionality to minimize the risk of exploitation.