WordPress Forminator Plugin XSS Vulnerability (CVE-2024-45625) Advisory

Key Information 1. Vulnerability ID: - JVN#65724976 2. Affected Products: - WordPress Plugin "Forminator" versions prior to 1.34.1 3. Description: - The Forminator plugin allows users to create and embed forms. When accessing a page containing a form created by Forminator, certain information from the URL may be embedded into the form. - This embedded information is improperly handled, leading to a Cross-Site Scripting (CWE-79) vulnerability. 4. Impact: - When users visit a page containing a malicious URL and then access a webpage with a form created by Forminator, arbitrary scripts may be executed. 5. Solution: - Update the plugin and rebuild the forms. - As recommended by the developer, update the plugin and rebuild previously created forms. 6. Vendor Status: - WPMU DEV has released an update that fixes this issue. 7. Reference Links: - WPMU DEV's Forminator plugin update information. 8. CVSS Score: - CVSS v3 Score: 3.0 - Base Score: 6.1 9. Credit: - Reported by Yoshimitsu Kato of Asterisk Corporation. - Coordinated by JPCERT/CC with the developer through the Information Security Management Early Warning Partnership. 10. Additional Information: - JPCERT Alert - JPCERT Report - CERT Advisory - CPNI Announcement - TRnotes - CVE: CVE-2024-45625 - JVN iPedia: JVNDB-2024-000097 Summary This vulnerability is a Cross-Site Scripting (CWE-79) flaw in the WordPress plugin Forminator, affecting all versions prior to 1.34.1. Users can resolve the issue by updating the plugin and rebuilding the forms.

Goal Reached Thanks to every supporter — we hit 100%!

WordPress Forminator Plugin XSS Vulnerability (CVE-2024-45625) Advisory