Get Started
CVE July 13, 2026 5 min read

CVE-2024-28890: Unauthenticated Arbitrary File Upload in Forminator Exposed 500,000+ WordPress Sites (CVSS 9.8)

CVE-2024-28890 is a critical (CVSS 9.8) unauthenticated arbitrary file upload vulnerability in the Forminator form builder plugin, installed on 500,000+ WordPress sites. Attackers could upload PHP web shells and fully take over vulnerable sites. Here is how the flaw works, how to check if you were exposed, and how to fix it.

In April 2024, Japan’s national CERT (JPCERT/CC) issued an unusual warning: a critical vulnerability in Forminator, one of the most popular form builder plugins for WordPress, was being actively exploited in the wild. Tracked as CVE-2024-28890 and rated CVSS 9.8 (Critical), the flaw allowed anyone on the internet — no account, no login, no special access — to upload arbitrary files to a vulnerable site’s server. In practice, that means an attacker could plant a PHP web shell and take full control of the site.

Forminator, developed by WPMU DEV, is installed on more than 500,000 WordPress sites. It powers contact forms, payment forms, quizzes, and polls — which is exactly why this vulnerability mattered so much. Form plugins are designed to accept input from anonymous visitors. When the code that handles that input fails to validate what it receives, every visitor becomes a potential attacker.

CVE Details

  • CVE ID: CVE-2024-28890
  • Plugin: Forminator – Contact Form, Payment Form & Custom Form Builder (by WPMU DEV)
  • Active installs: 500,000+
  • Vulnerability type: Unauthenticated Arbitrary File Upload (unrestricted upload of file with dangerous type)
  • CVSS v3 score: 9.8 (Critical)
  • Affected versions: All versions up to and including 1.28.1 (prior to 1.29.0)
  • Patched version: Fixed in 1.29.0; update to 1.29.3 or later, which also resolves two companion flaws
  • Disclosure: April 2024, via JPCERT/CC advisory JVN#50132400; reported by researcher Hibiki Moriyama

The same advisory covered two additional Forminator vulnerabilities patched in 1.29.3: CVE-2024-31077, an SQL injection flaw exploitable by administrator-level users (CVSS 7.2), and CVE-2024-31857, a cross-site scripting issue (CVSS 6.1). The file upload flaw is by far the most dangerous of the three because it requires no authentication at all.

How the Vulnerability Works

Forms frequently include file upload fields — think job application forms that accept résumés, or support forms that accept screenshots. A properly built upload handler enforces strict rules: it checks the file extension against an allowlist, verifies the content type, and stores files in a way that prevents them from being executed as code.

Forminator’s upload handling was missing adequate file type validation. An unauthenticated attacker could submit a file to a vulnerable site and have the server accept it regardless of what the file actually was — including a .php file containing attacker-controlled code.

Once a PHP file lands in a web-accessible directory on a WordPress server, the attack is essentially over. The attacker simply requests the uploaded file’s URL in a browser, the server executes the PHP code, and the attacker now has a web shell — a remote control panel running with the same permissions as WordPress itself. From there they can read wp-config.php (which contains database credentials), create administrator accounts, install further malware, or pivot to other sites on the same hosting account.

The barrier to exploitation was extremely low: no account, no user interaction, no special configuration. Any site running a vulnerable version with a Forminator form exposed to the public was a target — and JPCERT noted reports of attacks in the wild shortly after disclosure.

Real-World Impact

An arbitrary file upload leading to remote code execution is about as bad as it gets for a WordPress site. Realistic outcomes include:

  • Full site takeover. With code execution, attackers can create admin users, modify theme and plugin files, and lock out the legitimate owner.
  • Data theft. Database credentials in wp-config.php expose every user record, order, and form submission — a serious problem for sites using Forminator’s payment forms.
  • Malware distribution and SEO spam. Compromised sites are routinely turned into phishing hosts, malware droppers, or spam link farms, leading to blocklisting by Google and email providers.
  • Persistence. Attackers typically plant multiple backdoors, so even sites that later update the plugin remain compromised unless they are properly cleaned.

The scale amplified the risk. At the time of disclosure, WordPress.org statistics showed only about 56% of Forminator installs running the 1.29 branch — leaving an estimated 200,000+ sites exposed after the patch was already available.

How to Check If You’re Affected

  1. In your WordPress dashboard, go to Plugins → Installed Plugins and look for “Forminator”.
  2. Check the version number. Anything below 1.29.3 means you are missing at least one of the April 2024 security fixes; anything at or below 1.28.1 is vulnerable to the critical file upload flaw.
  3. If you ran a vulnerable version while it was exposed, assume you may have been targeted. Inspect wp-content/uploads for unexpected .php files, review your user list for administrator accounts you didn’t create, and run a malware scan with a reputable security plugin.
  4. Check your server access logs for suspicious POST requests to form submission endpoints followed by GET requests to files in the uploads directory — a classic web shell pattern.

How to Fix It

Update Forminator to the latest version immediately — at minimum 1.29.3, which resolves CVE-2024-28890 along with the SQL injection and XSS flaws disclosed at the same time. Go to Dashboard → Updates or the Plugins screen and update, or enable auto-updates for the plugin so future security releases install themselves.

Beyond the update, a few hardening steps meaningfully reduce the blast radius of file upload flaws in any plugin:

  • Block PHP execution in the uploads directory. A small .htaccess rule (or the equivalent Nginx directive) that denies execution of .php files under wp-content/uploads turns many upload vulnerabilities from site takeovers into non-events.
  • Use a web application firewall. A good WAF can block malicious upload attempts before they reach vulnerable plugin code, buying you time between disclosure and patching.
  • Only enable upload fields when you need them. If a form doesn’t require file uploads, don’t include the field — less attack surface is always better.
  • If you suspect compromise, clean before you trust. Updating the plugin does not remove backdoors that were planted earlier. Restore from a known-good backup or perform a full malware cleanup.

The Takeaway

CVE-2024-28890 is a textbook example of why form plugins deserve extra scrutiny: they exist to accept input from strangers, and a single missing validation check can hand those strangers the keys to your server. The fix was available within days of disclosure — yet hundreds of thousands of sites stayed vulnerable simply because updates weren’t applied.

The lesson is the same one that underpins all WordPress security hygiene: keep plugins updated (ideally automatically for security releases), minimize your attack surface, layer defenses like PHP execution blocking and a WAF, and monitor your site so that if something does get through, you find out from your logs — not from Google’s blocklist warning.

Related Articles