The Formidable Forms plugin allows users to easily create contact pages, polls and surveys, and many other kinds of forms, it has more than 200,000 active installs.
Pynnönen discovered that the dangerous flaws affect both the free and as a paid version.
The most severe issue discovered by the expert is a blind SQL injection that can be exploited by attackers to enumerate a website’s databases and access their content, including user credentials and data submitted to a website via Formidable forms.
Unfortunately, this isn’t the unique flaw of this type, the researcher also found another flaw that exposes data submitted via forms created with the Formidable Forms plugin. Both vulnerabilities are related to the way the plugin implements shortcodes.
“The plugin implemented a form preview AJAX function accessible to anyone without authentication. The function accepted some parameters affecting the way it generates the form preview HTML. Parameters after_html and before_html could be used to add custom HTML after and before the form. Most of the vulnerabilities relied on this feature.” wrote Pynnonen.
Below the example shared by the expert:
<form id=tinymce><textarea name=DOM> </textarea></form> <a class=frm_field_list>panelInit</a> <aid ="frm_dyncontent"> <bid ="xxxdyn_default_valuexxxxx" class="ui-find-overlay wp-editor-wrap">overlay</b></a> <aid =post-visibility-display>vis1</a><aid =hidden-post-visibility>vis2</a><aid =visibility-radio-private>vis3</a> <div id=frm-fid-search-menu><aid =frm_dynamic_values_tab>zzz</a></div> <form id=posts-filter method=post action=admin-ajax.php?action=frm_forms_preview> <textarea name=before_html><svg on[entry_key]loaad=ler(t/xss/) <//te&xtagt;rea></form>
The expert also discovered that if the WordPress installation includes the iThemes Sync WordPress maintenance plugin alongside Formidable Forms, the attacker can exploit the SQL injection flaw to obtain a user’s ID and authentication key.
The user’s ID and the authentication key can be used to control WordPress via iThemes Sync.
Formidable Forms promptly fixed the flaws with the release of versions 2.05.02 and 2.
The expert identified the issued as part of a bug bounty program that offers rewards of up to $10,000, the initiative managed by the HackerOne was run by an unnamed Singapore-based tech company. The Formidable Forms plugin is one of the software used by the tech company.
The researcher received $4,500 reward for the SQL injection vulnerability and a few hundred dollars for each of the other security holes.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.