Pierluigi Paganini November 16, 2017

A researcher from Finland-based company Klikki Oy has discovered several vulnerabilities in the Formidable Forms plugin that expose websites to attacks.

The researcher Jouko Pynnönen from Finland-based company Klikki Oy has discovered several vulnerabilities in the Formidable Forms plugin the expose websites to attacks.

The Formidable Forms plugin allows users to easily create contact pages, polls and surveys, and many other kinds of forms, it has more than 200,000 active installs.

Pynnönen discovered that the dangerous flaws affect both the free and as a paid version.

The most severe issue discovered by the expert is a blind SQL injection that can be exploited by attackers to enumerate a website’s databases and access their content, including user credentials and data submitted to a website via Formidable forms.

Unfortunately, this isn’t the unique flaw of this type, the researcher also found another flaw that exposes data submitted via forms created with the Formidable Forms plugin. Both vulnerabilities are related to the way the plugin implements shortcodes.

“The plugin implemented a form preview AJAX function accessible to anyone without authentication. The function accepted some parameters affecting the way it generates the form preview HTML. Parameters after_html and before_html could be used to add custom HTML after and before the form. Most of the vulnerabilities relied on this feature.” wrote Pynnonen.

The Formidable Forms plugin is also affected by reflected and stored cross-site scripting (XSS) vulnerabilities. The stored XSS could be exploited by an attacker to execute arbitrary JavaScript code in the context of an administrator’s browsing session. An attacker can inject a malicious code via forms, the code is executed when the site admin view it on the dashboard.

“Administrators can view data entered by users in Formidable forms in the WordPress Dashboard. Any HTML entered in forms is filtered with the wp_kses() function. This isn’t enough to prevent dangerous HTML as it allows the “id” and “class” HTML attributes and e.g. the <form> HTML tag. It was possible to craft HTML code which would result in attacker-supplied JavaScript to be executed when the form entry is viewed.” added the expert.

Below the example shared by the expert:

<form id=tinymce><textarea name=DOM> </textarea></form> 
<a class=frm_field_list>panelInit</a> 
<aid ="frm_dyncontent"> <bid ="xxxdyn_default_valuexxxxx" class="ui-find-overlay wp-editor-wrap">overlay</b></a> 
<aid =post-visibility-display>vis1</a><aid =hidden-post-visibility>vis2</a><aid =visibility-radio-private>vis3</a> 
<div id=frm-fid-search-menu><aid =frm_dynamic_values_tab>zzz</a></div> 
<form id=posts-filter method=post action=admin-ajax.php?action=frm_forms_preview>
<textarea name=before_html>&lt;svg on[entry_key]loaad=ler(t/xss/) <//te&xtagt;rea></form>

The expert also discovered that if the WordPress installation includes the iThemes Sync WordPress maintenance plugin alongside Formidable Forms, the attacker can exploit the SQL injection flaw to obtain a user’s ID and authentication key.

The user’s ID and the authentication key can be used to control WordPress via iThemes Sync.

Formidable Forms promptly fixed the flaws with the release of versions 2.05.02 and 2.

The expert identified the issued as part of a bug bounty program that offers rewards of up to $10,000, the initiative managed by the HackerOne was run by an unnamed Singapore-based tech company. The Formidable Forms plugin is one of the software used by the tech company.

The researcher received $4,500 reward for the SQL injection vulnerability and a few hundred dollars for each of the other security holes.

Pierluigi Paganini

(Security Affairs – Formidable Forms plugin, WordPress hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]