BI.ZONE WAF responds to multiple Formidator WordPress plug‑in vulnerabilities

The vulnerabilities allow attackers to compromise sensitive data and cause disruptions in web services. BI.ZONE WAF and security assessment teams promptly investigated the issues and tested their exploitation on a demo stand. After that, they developed rules to prevent possible vulnerability exploitation.

The first vulnerability, CVE-2024-28890, involves incorrect validation of files during the upload process. This enables adversaries to upload a web shell (a remote web server management program) or malware without any restrictions.

The second vulnerability, CVE-2024-31077, involves arbitrary SQL queries that facilitate a union‑based injection. The flaw stems from missing data sanitization algorithms in registration and authentication forms and can lead to data theft.

The third vulnerability, CVE-2024-31857, makes it possible to execute a reflected cross‑site scripting (XSS) attack. Adversaries can inject arbitrary HTML and script code into the pages viewed by users. This can be used to steal cookies and session tokens or even redirect users to malicious websites.

Applications are protected by semantic search for SQL/JavaScript/HTML constructs in various HTTP headers in the fields passed by the user. BI.ZONE WAF also checks file extensions, byte code in header names, and the Content‑Type HTTP header against the actual uploaded data. This approach allows for quick and thorough filtering of anomalous queries and ensures reliable protection of web applications.

In addition, the scanning rules and policies developed by the BI.ZONE WAF team have been successfully transformed and integrated into the BI.ZONE CPT (Continuous Penetration Testing) product. With the new rules, BI.ZONE CPT can identify web applications vulnerable to CVE-2024-28890, CVE-2024-31077, and CVE-2024-31857.