Tuesday, February 28, 2017

Security advisory: Update Umbraco Forms immediately

March 1st 2017

Impact: High, requires immediate action. This advisory is the result of a private penetration test, we have no reports that the bug is being exploited.

You need to update Forms now:

Your site will need to be updated if you have installed Forms. 

Umbraco Cloud has been automatically updated and Contour (the predecessor to Umbraco Forms) is not affected.

How to update?

If you are uncertain about how to update Forms, we recommend that you get in touch with the person / agency that built your Umbraco site and let them help you. It is an easy fix, but we only recommend experienced Umbraco users to do the update.


If you are NOT using NuGet then you need to copy the new version of Umbraco.Forms.Core.Providers.dll into the bin folder of your website.

There's two versions of this library:

  1. Umbraco.Forms.Core.Providers.dll - compatible with Umbraco Forms versions LOWER than 4.3.0
  2. Umbraco.Forms.Core.Providers.dll - compatible with Umbraco Forms versions from 4.3.0 up to and including 4.4.1

This dll is fully backwards compatible so you don't need to worry about breaking anything.

If you don't know what version of Forms you're running click on "Forms" in the backoffice menu bar to the left and right under "Dashboard" your current Forms version is listed:




You can also find your current version by looking in the version file here: ~/App_Plugins/UmbracoForms/version 


If you're not already using the latest version of Forms we recommend you take this opportunity to update your Umbraco Forms installation to the latest version wherein the fix has been added: Forms 4.4.2.



If you ARE using NuGet then the following instructions apply. Run the following command in your Package Manager Console in Visual Studio:

Update-Package UmbracoForms

Alternatively you can use the NuGet UI to search for the Umbraco Forms package and update it to the latest version.

Automatic update

When you go to the Umbraco Forms section in the backoffice, Forms might offer to automatically update itself, you can also use this to secure your installation. 


If you have additional questions not covered in this blog post please use the forum post on Our Umbraco dedicated to this topic. You can subscribe to email notifications for this forum post (hit the "follow" button at the top right) to receive updates.

Details about the issue

Summary: All Umbraco Forms versions contain a critical security flaw

Fix: Replace a single assembly file or run a NuGet update command. Completely backwards compatible.

The newly discovered vulnerability is no longer present in version 4.4.2 of Umbraco Forms and we advise you to make sure that you are using at least version 4.4.1.

We want to thank Jeffrey Schoemaker from Perplex Internet for responsibly disclosing this issue with us.


We apologize for the inconvenience. Security issues are of the highest priority for us as we recognize that the trust in Umbraco depends heavily on this.

If you want to know more about how we handle security in Umbraco, you can read more about Umbraco Security here.

Related Story

Case story: Saniona

Saniona is a research and development company focused on drugs for diseases of the central nervous system, autoimmune diseases, metabolic diseases and treatment of pain. With Saniona's 2016 launch on the Nasdaq, it was important that their website could easily and seamlessly present relevant investor and trading information. Look how WebVision did the job.

If you don't know Umbraco, here are some numbers behind the world's friendliest CMS

One of the biggest benefits of using Umbraco is that the community is incredibly pro-active, extremely friendly and helpful.

Chances are that if you get an idea for something you would like to build in Umbraco, someone has already built it. So it is very likely that you can get good and friendly advice from someone from the Umbraco community on Our - just ask.

Number of active installs
Number of active members in the community
Known free Umbraco packages available

Want to be updated on everything Umbraco?

Be one of the first to know about special offers on our products and services. Get invitations to Umbraco events and festivals sent directly to your inbox.

All you need to do is get on our mailing list and soon you'll become a true Umbraco-know-it-all.

Sign up for Umbraco newsletters and offers

Are you sure, that's your real e-mail?