October 3, 2023

A critical vulnerability has been found in Forminator that could allow unauthenticated attackers to upload arbitrary files to the affected site’s server.

The vulnerability, tracked as CVE-2023-4596, with a CVSS score of 9.8, is an arbitrary file upload vulnerability, that deserves every ounce of attention it’s getting.


The root of the issue lies in the sequence of the file-uploading process in Forminator. When a file is uploaded, its type is verified to ensure it’s of a safe and expected format. In Forminator’ s case, this validation step unfortunately occurs after the file has already taken residence on the server.

The vulnerability allows an unauthenticated attackers – those without any registered status on the site – to upload arbitrary files to a site’s server. Given the right conditions and file types, this could pave the way for remote code execution, allowing the attacker to run commands or scripts on the affected server.

An attacker who exploits the CVE-2023-4596 vulnerability could upload arbitrary files to the affected site’s server. This could include malicious files that could be used to:

  • Execute arbitrary code on the server.
  • Steal sensitive data from the server.
  • Disrupt the operation of the website.

The working PoC is already circulating in the wild, the risk is even higher. This means attackers have a blueprint, a how-to guide, on exploiting this vulnerability. Users of Forminator should update to the latest version of the plugin (1.25 or newer) as soon as possible. If you are unable to update to the latest version, you can disable the Forminator plugin until a fix is available.


In addition to updating the plugin, you can take the following steps to protect your site from this vulnerability:

  • Keep your WordPress installation up to date.
  • Use a security plugin to scan your site for vulnerabilities.
  • Be careful about what files you upload to your site.
  • Only download files from trusted sources.

Leave a Reply

%d bloggers like this: