The Formidable Forms plugin allows users to easily create contact pages, polls and surveys, and many other kinds of forms, it has more than 200,000 active installs.
Pynnönen discovered that the dangerous flaws affect both the free and as a paid version.
The most severe issue discovered by the expert is a blind SQL injection that can be exploited by attackers to enumerate a website’s databases and access their content, including user credentials and data submitted to a website via Formidable forms.
Unfortunately, this isn’t the unique flaw of this type, the researcher also found another flaw that exposes data submitted via forms created with the Formidable Forms plugin. Both vulnerabilities are related to the way the plugin implements shortcodes.
“The plugin implemented a form preview AJAX function accessible to anyone without authentication. The function accepted some parameters affecting the way it generates the form preview HTML. Parameters after_html and before_html could be used to add custom HTML after and before the form. Most of the vulnerabilities relied on this feature.” wrote Pynnonen.
Below the example shared by the expert:
<form id=tinymce><textarea name=DOM> </textarea></form> <a class=frm_field_list>panelInit</a> <aid ="frm_dyncontent"> <bid ="xxxdyn_default_valuexxxxx" class="ui-find-overlay wp-editor-wrap">overlay</b></a> <aid =post-visibility-display>vis1</a><aid =hidden-post-visibility>vis2</a><aid =visibility-radio-private>vis3</a> <div id=frm-fid-search-menu><aid =frm_dynamic_values_tab>zzz</a></div> <form id=posts-filter method=post action=admin-ajax.php?action=frm_forms_preview> <textarea name=before_html><svg on[entry_key]loaad=ler(t/xss/) <//te&xtagt;rea></form>
The expert also discovered that if the WordPress installation includes the iThemes Sync WordPress maintenance plugin alongside Formidable Forms, the attacker can exploit the SQL injection flaw to obtain a user’s ID and authentication key.
The user’s ID and the authentication key can be used to control WordPress via iThemes Sync.
Formidable Forms promptly fixed the flaws with the release of versions 2.05.02 and 2.
The expert identified the issued as part of a bug bounty program that offers rewards of up to $10,000, the initiative managed by the HackerOne was run by an unnamed Singapore-based tech company. The Formidable Forms plugin is one of the software used by the tech company.
The researcher received $4,500 reward for the SQL injection vulnerability and a few hundred dollars for each of the other security holes.