CVE-2023-6133
published 2023-11-15CVE-2023-6133: The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in…
PriorityP426medium4.9CVSS 3.1
AVNACLPRHUINSUCNIHAN
EPSS
0.87%
54.1th percentile
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. This makes it possible for authenticated attackers with administrator-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| incsub | forminator | <= 1.27.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Forminator Plugin up to 1.27.0 on WordPress unrestricted upload (ID 2995007)
vuldb·2026-04-11·CVSS 6.6
CVE-2023-6133 [MEDIUM] Forminator Plugin up to 1.27.0 on WordPress unrestricted upload (ID 2995007)
A vulnerability has been found in Forminator Plugin up to 1.27.0 on WordPress and classified as problematic. This issue affects some unknown processing. The manipulation leads to unrestricted upload.
This vulnerability is documented as CVE-2023-6133. The attack can be initiated remotely. There is not any exploit available.
GHSA
GHSA-9w33-c6rh-4qfg: The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' fu
ghsa_unreviewed·2023-11-15
CVE-2023-6133 [MEDIUM] CWE-434 GHSA-9w33-c6rh-4qfg: The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' fu
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. This makes it possible for authenticated attackers with administrator-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/forminator/tags/1.27.0/library/fields/upload.php#L356https://plugins.trac.wordpress.org/browser/forminator/tags/1.27.0/library/fields/upload.php#L372https://plugins.trac.wordpress.org/changeset/2995007/forminator/trunk/library/helpers/helper-fields.php#file0https://www.wordfence.com/threat-intel/vulnerabilities/id/13cfa202-ab90-46c0-ab53-00995bfdcaa3?source=cvehttps://plugins.trac.wordpress.org/browser/forminator/tags/1.27.0/library/fields/upload.php#L356https://plugins.trac.wordpress.org/browser/forminator/tags/1.27.0/library/fields/upload.php#L372https://plugins.trac.wordpress.org/changeset/2995007/forminator/trunk/library/helpers/helper-fields.php#file0https://www.wordfence.com/threat-intel/vulnerabilities/id/13cfa202-ab90-46c0-ab53-00995bfdcaa3?source=cve
2023-11-15
Published