Formidable Forms Vulnerability– Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder – Cross-Site Request Forgery to Stored Cross-Site Scripting – CVE-2024-0660 |WordPress Plugin Vulnerability Report

Plugin Name: Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Key Information:

  • Software Type: Plugin
  • Software Slug: formidable
  • Software Status: Active
  • Software Author: strategy11team
  • Software Downloads: 19,521,336
  • Active Installs: 300,000
  • Last Updated: January 30, 2024
  • Patched Versions: 6.8
  • Affected Versions: <= 6.7.2

Vulnerability Details:

  • Name: Formidable Forms <= 6.7.2
  • Title: Cross-Site Request Forgery to Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-0660
  • CVSS Score: 6.1
  • Publicly Published: January 26, 2024
  • Researcher: Webbernaut
  • Description: The Formidable Forms plugin is susceptible to a significant security vulnerability that enables Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS). This issue arises from inadequate nonce validation within the plugin's update_settings function, allowing unauthenticated attackers to alter form settings and inject malicious JavaScript if they can deceive an administrator into clicking a malicious link.


Formidable Forms, a widely-used WordPress plugin for creating various forms, has been identified with a vulnerability in versions up to 6.7.2. This flaw permits CSRF attacks that can escalate to Stored XSS, posing a risk to both site integrity and user security. The vulnerability has been rectified in the recently released version 6.8.

Detailed Overview:

Discovered by the researcher Webbernaut, this vulnerability highlights a critical oversight in security practices within the Formidable Forms plugin. The lack of stringent nonce checks makes it feasible for attackers to craft requests that, when executed unwittingly by a site administrator, can lead to unauthorized changes in form settings. These changes could include the addition of malicious scripts, which are then stored and executed within the site, compromising both the site's functionality and the security of its users.

Advice for Users:

  • Immediate Action: Users of the Formidable Forms plugin should immediately upgrade to version 6.8, which addresses this security vulnerability. Delaying this update could leave your site exposed to potential CSRF and Stored XSS attacks.
  • Check for Signs of Vulnerability: Administrators are advised to inspect their site's forms for unexpected changes or scripts that could indicate exploitation of this vulnerability. Any anomalies should be investigated and rectified promptly.
  • Alternate Plugins: While the patched version is deemed secure, users concerned about recurring vulnerabilities may consider evaluating alternative form builder plugins with robust security features.
  • Stay Updated: Ensuring that all WordPress plugins, themes, and the core installation are up to date is crucial in protecting against known vulnerabilities. Regular updates and security checks can significantly reduce the risk of security breaches.


The discovery and subsequent patching of CVE-2024-0660 within the Formidable Forms plugin underscore the continuous battle against security vulnerabilities in the WordPress ecosystem. This incident serves as a reminder to all WordPress site owners and administrators about the importance of maintaining up-to-date plugins and adhering to best security practices. By promptly updating to version 6.8 of Formidable Forms, users can safeguard their sites from this particular vulnerability and contribute to a more secure WordPress community.


In the digital tapestry of today's online platforms, the security of WordPress websites emerges as a critical cornerstone for safeguarding user trust and maintaining site integrity. The recent identification of a vulnerability in the Formidable Forms plugin, known as CVE-2024-0660, casts a spotlight on the perpetual challenge of cyber threats and the paramount importance of timely updates. This vulnerability, bridging Cross-Site Request Forgery (CSRF) to Stored Cross-Site Scripting (XSS), underscores not just the complexity of potential security breaches but also the extensive risks they pose.

Formidable Forms: A Tool of Convenience and Creativity

Formidable Forms stands out as a versatile plugin within the WordPress ecosystem, offering users the ability to create everything from simple contact forms to comprehensive surveys, quizzes, and payment systems. With over 300,000 active installs and a significant download count, its role in enhancing website functionality is undeniable.

The Vulnerability at Hand: CVE-2024-0660

CVE-2024-0660 reveals a critical security flaw in versions of Formidable Forms up to 6.7.2, where insufficient nonce validation permits unauthenticated attackers to manipulate form settings and inject malicious scripts through deceptive requests. This vulnerability, discovered by researcher Webbernaut and publicly disclosed on January 26, 2024, has been addressed in the updated version 6.8.

Risks and Potential Impacts

The implications of CVE-2024-0660 extend far beyond mere technical glitches, posing significant risks to both site functionality and user security. Unauthorized changes to form settings and the introduction of malicious scripts can lead to data breaches, loss of personal and sensitive information, and potentially, a tarnished reputation.

Mitigating the Threat

To counteract this vulnerability, users of Formidable Forms are urged to update their plugin to version 6.8 immediately, which includes the necessary security enhancements. Additionally, site administrators should conduct a thorough review of their site's forms and settings for any signs of unauthorized modifications, ensuring the integrity of their digital environment.

Historical Context and the Importance of Vigilance

With 17 previous vulnerabilities reported since January 26, 2016, the security landscape of Formidable Forms illustrates the ongoing battle against cyber threats. This history serves as a potent reminder of the necessity for continuous monitoring, updating, and employing best security practices.


For small business owners, the task of managing a WordPress site's security might seem daunting amidst a plethora of other responsibilities. However, the recent CVE-2024-0660 vulnerability in Formidable Forms highlights the critical need for vigilance and proactive measures. Staying abreast of updates, understanding the potential risks, and taking swift action to remediate vulnerabilities are essential steps in fortifying your site against the ever-evolving threats of the cyber world. In doing so, you not only protect your digital assets but also preserve the trust and safety of your users.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Formidable Forms Vulnerability– Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder – Cross-Site Request Forgery to Stored Cross-Site Scripting – CVE-2024-0660 |WordPress Plugin Vulnerability Report FAQs

Leave a Comment