Login

Tag Archives: Forminator

Plugin Security Scorecard Grade for Forminator

Checked on November 28, 2024
F

See issues causing the plugin to get less than A+ grade

7 Sep 2023

WPMU DEV and Their Partner Patchstack Didn’t Handle Security Vulnerability in 400,000+ Install Plugin Well

WPMU DEV is a WordPress plugin developer that we have noted in the past hasn’t been handling security well despite being a security provider. They offer the Defender plugin, which WordPress says has 90,000+ installs. WPMU DEV claims that the pro version of that has 300,000+ installs. If you head to the homepage for the pro version right now, they claim to provide “reliable WordPress security”, which is powered by Patchstack:

[Read more]

28 Feb 2020

Vulnerability Details: Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Forminator

The plugin Forminator was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 40,000+ installs, so we were alerted to its closure. When we went to check on the plugin to see if we should be warning users of the plugin that also use our service of anything, we found that it had been updated, re-opened, and the changelog for that version reads “Security Fix: Patch authenticated stored XSS”. Based on that and the changes made in that version we found that it appears that refers to sanitizing the values of various fields when creating fields in its forms. By default only Administrators, who have the unfiltered_html capability, which gives them the capability to do the equivalent of cross-site scripting (XSS), have the ability to access those. The plugin is only partially designed to allow lower level users to have access to the plugin’s admin functionally, so it appears that this would only be a vulnerability if a website had a role that could edit those forms, but didn’t have the unfiltered_html capability.

[Read more]