CVE-2024-31077
Published: 23 April 2024
Summary
CVE-2024-31077 is a high-severity SQL Injection (CWE-89) vulnerability in Incsub Forminator. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 2.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Forminator, a WordPress plugin developed by WPMU DEV for form creation and data collection, is affected by a SQL injection vulnerability in all versions prior to 1.29.3. The flaw, tracked as CVE-2024-31077 and assigned CWE-89, allows improper handling of database queries that can be abused through crafted input.
A remote attacker who has already obtained administrative credentials can exploit the issue over the network to read or modify arbitrary database contents and trigger denial-of-service conditions. The CVSS 7.2 score reflects the high impact on confidentiality, integrity, and availability once administrative access is present, although the attack requires valid high-privileged authentication.
Public advisories published by JVN and the plugin’s WordPress repository page direct administrators to update to version 1.29.3 or later; the EPSS score has remained stable at 0.3450 with no observed upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-28989
Vulnerability details
Forminator prior to 1.29.3 contains a SQL injection vulnerability. If this vulnerability is exploited, a remote authenticated attacker with an administrative privilege may obtain and alter any information in the database and cause a denial-of-service (DoS) condition.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.