cbcvebase.
CVE-2023-4596
published 2023-08-30

CVE-2023-4596: The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
12.75%
95.8th percentile
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affected

1 ranges
VendorProductVersion rangeFixed in
incsubforminator<= 1.24.6

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path/wp-content/plugins/forminator
commandaction=forminator_submit_form_custom-forms
filename*.php (uploaded via postdata-1-post-image field)
  • Flag multipart form submissions to admin-ajax.php where the field name is 'postdata-1-post-image' and the uploaded filename has a .php extension — this is the vulnerable upload_post_image() code path
  • A successful exploitation response contains the JSON string '{"success":true' along with a 'form_id' key — monitor admin-ajax.php responses for this pattern when triggered by unauthenticated requests
  • Presence of 'Upload file' and 'forminator-field-upload' strings in a page body indicates the vulnerable Forminator upload form is exposed and can be targeted by unauthenticated attackers
  • Use Shodan/FOFA/PublicWWW queries to identify exposed Forminator plugin instances for proactive patching or monitoring
  • The vulnerability is in the upload_post_image() function in library/fields/postdata.php — file type validation occurs AFTER the file is written to disk, so even a blocked upload may leave a PHP file on the server transiently
  • ·The exploit targets unauthenticated users — no credentials or nonce pre-knowledge is required; the nonce (forminator_nonce) and form_id are extracted dynamically from the page HTML before the upload POST, so WAF rules must account for a two-step GET+POST sequence
  • ·Affected versions are up to and including 1.24.6; version 1.24.7 contains the fix — ensure detection/blocking rules are scoped to unpatched instances and do not rely solely on version strings
  • ·EPSS score of 0.92146 (99.711th percentile) indicates very high real-world exploitation probability — treat as actively exploited in the wild for prioritization purposes

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.