Formidable Forms Vulnerability– Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder – Cross-Site Request Forgery to Stored Cross-Site Scripting – CVE-2024-0660 |WordPress Plugin Vulnerability Report
Plugin Name: Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Key Information:
- Software Type: Plugin
- Software Slug: formidable
- Software Status: Active
- Software Author: strategy11team
- Software Downloads: 19,521,336
- Active Installs: 300,000
- Last Updated: January 30, 2024
- Patched Versions: 6.8
- Affected Versions: <= 6.7.2
Vulnerability Details:
- Name: Formidable Forms <= 6.7.2
- Title: Cross-Site Request Forgery to Stored Cross-Site Scripting
- Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- CVE: CVE-2024-0660
- CVSS Score: 6.1
- Publicly Published: January 26, 2024
- Researcher: Webbernaut
- Description: The Formidable Forms plugin is susceptible to a significant security vulnerability that enables Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS). This issue arises from inadequate nonce validation within the plugin's
update_settings
function, allowing unauthenticated attackers to alter form settings and inject malicious JavaScript if they can deceive an administrator into clicking a malicious link.
Summary:
Formidable Forms, a widely-used WordPress plugin for creating various forms, has been identified with a vulnerability in versions up to 6.7.2. This flaw permits CSRF attacks that can escalate to Stored XSS, posing a risk to both site integrity and user security. The vulnerability has been rectified in the recently released version 6.8.
Detailed Overview:
Discovered by the researcher Webbernaut, this vulnerability highlights a critical oversight in security practices within the Formidable Forms plugin. The lack of stringent nonce checks makes it feasible for attackers to craft requests that, when executed unwittingly by a site administrator, can lead to unauthorized changes in form settings. These changes could include the addition of malicious scripts, which are then stored and executed within the site, compromising both the site's functionality and the security of its users.
Advice for Users:
- Immediate Action: Users of the Formidable Forms plugin should immediately upgrade to version 6.8, which addresses this security vulnerability. Delaying this update could leave your site exposed to potential CSRF and Stored XSS attacks.
- Check for Signs of Vulnerability: Administrators are advised to inspect their site's forms for unexpected changes or scripts that could indicate exploitation of this vulnerability. Any anomalies should be investigated and rectified promptly.
- Alternate Plugins: While the patched version is deemed secure, users concerned about recurring vulnerabilities may consider evaluating alternative form builder plugins with robust security features.
- Stay Updated: Ensuring that all WordPress plugins, themes, and the core installation are up to date is crucial in protecting against known vulnerabilities. Regular updates and security checks can significantly reduce the risk of security breaches.
Conclusion:
The discovery and subsequent patching of CVE-2024-0660 within the Formidable Forms plugin underscore the continuous battle against security vulnerabilities in the WordPress ecosystem. This incident serves as a reminder to all WordPress site owners and administrators about the importance of maintaining up-to-date plugins and adhering to best security practices. By promptly updating to version 6.8 of Formidable Forms, users can safeguard their sites from this particular vulnerability and contribute to a more secure WordPress community.