Critical Arbitrary File Upload Patched in Forminator Plugin

Published 31 August 2023
Updated 23 November 2023
Rafie Muhammad
Security Researcher at Patchstack
Table of Contents

This security advisory is written about a critical Forminator vulnerability initially disclosed by MEHMET KELEPÇE. Patchstack users have received a vPatch to protect their site against this vulnerability.

This blog post is about the Forminator plugin vulnerability. If you’re a Forminator user, please update the plugin to at least version 1.25.0.

Patchstack Developer and Business users are protected from the vulnerability. You can also sign up for the Patchstack Community plan to be notified about vulnerabilities as soon as they become disclosed.

For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies.

About the Forminator Plugin

The plugin Forminator (versions 1.24.6 and below, free version), which has over 400,000 active installations is known as the more popular custom form plugin in WordPress. This plugin is developed by WPMUDEV.

It’s claimed that the Forminator’s drag and drop visual builder makes it easy to setup and add forms to our WordPress website. Collect information, make our content interactive and generate more conversions with Forminator.

The security vulnerability

This plugin suffers from an unauthenticated arbitrary file upload vulnerability. This vulnerability allows any unauthenticated user to upload arbitrary files, including PHP files, that could lead to remote code execution. The described vulnerability was fixed in version 1.25.0 and assigned CVE-2023-4596.

We initially discovered and reported the vulnerability to the vendor (WPMUDEV) on 16 August without any clue that the vulnerability was already publicly disclosed by MEHMET KELEPÇE. The vendor then informed us the vulnerability is known to them and already patched it first on the premium version of the plugin. The vendor then published the patch on the free version of the plugin on the same day (August 16th, 2023). We planned to delay the disclosure of the vulnerability, but it turns out that the vulnerability already publicly disclosed.

Unauthenticated Arbitrary File Upload

The underlying vulnerable code exist in the upload_post_image function:

public function upload_post_image( $field, $field_name ) {
    $post_image = self::get_property( 'post_image', $field, '' );

    if ( empty( $post_image ) ) {
        return true;
    }
    if ( ! empty( $_FILES[ $field_name ]['name'] ) ) {
        $file_name = sanitize_file_name( $_FILES[ $field_name ]['name'] );
        // TODO: refactor upload to use WP filesystem api.
        $file_data        = file_get_contents( $_FILES[ $field_name ]['tmp_name'] );
        $upload_dir       = wp_upload_dir(); // Set upload folder.
        $unique_file_name = wp_unique_filename( $upload_dir['path'], $file_name );
        $filename         = basename( $unique_file_name ); // Create base file name.

        if ( wp_mkdir_p( $upload_dir['path'] ) ) {
            $file = $upload_dir['path'] . '/' . $filename;
        } else {
            $file = $upload_dir['basedir'] . '/' . $filename;
        }

        // Create the  file on the server.
        file_put_contents( $file, $file_data );
        
        // Check image file type.
        $wp_filetype = wp_check_filetype( $filename, null );
        $image_exts  = apply_filters( 'forminator_field_postdata_image_file_types', $this->image_extensions );
-------------------------- CUTTED HERE --------------------------

The function is used to handle the upload process of post image. This function can be reached if the site has a Forminator form with the “Create Post” template that allows unauthenticated user to create a post.

Notice that there is no check on the uploaded filename or extension and the file is directly uploaded using the file_put_contents function. The interesting part is the check on the filetype using the wp_check_filetype function is only performed after the file has already been uploaded.

The patch

The patch is as simple as moving the file_put_contents function after the check has been applied. The patch can be seen below:

Conclusion

Always check every process of $_FILES parameter in the plugin or theme code. Make sure to apply a check on the filename and extension before uploading the file. One of the WordPress built-in functions to check the filetype is wp_check_filetype.

Timeline

16 August, 2023We initially found the vulnerability and reached out to the plugin vendor.
16 August, 2023The vendor acknowledge that the issue is known and already patched in the premium version. Forminator free version 1.25.0 released to patch the reported issue.
29 August, 2023We are aware that the vulnerability already publicly disclosed by other reseracher and added the vulnerabilities to the Patchstack vulnerability database.
31 August, 2023Security advisory article released.

Help us make the Internet a safer place

Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.

  • If you’re a plugin developer, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
  • If you’re a security researcher, join Patchstack Alliance to report vulnerabilities & earn rewards.

The latest in Security advisories

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu