CVE-2023-6133

MEDIUM

Forminator <1.27.0 - File Upload

Title source: llm

Description

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. This makes it possible for authenticated attackers with administrator-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed.

References (4)

Core 4

Core References

Issue Tracking

https://plugins.trac.wordpress.org/browser/forminator/tags/1.27.0/library/fields/upload.php#L356

Issue Tracking

https://plugins.trac.wordpress.org/browser/forminator/tags/1.27.0/library/fields/upload.php#L372

Patch

https://plugins.trac.wordpress.org/changeset/2995007/forminator/trunk/library/helpers/helper-fields.php#file0

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/13cfa202-ab90-46c0-ab53-00995bfdcaa3?source=cve

Scores

CVSS v3 6.6

EPSS 0.0032

EPSS Percentile 54.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (2)

incsub/forminator < 1.27.0

wpmudev/Forminator Forms – Contact Form, Payment Form & Custom Form Builder < 1.27.0

Published Nov 15, 2023

Tracked Since Feb 18, 2026