Formidable Forms WordPress plugin allows users to easily create contact pages, polls and surveys, and many other kinds of forms, it has more than 200,000 active installs. A security researcher named Jouko Pynnönen has analysed Formidable Forms plugin and discovered many vulnerabilities that expose WordPress websites to attacks.
Blind SQL injection can be exploited to enumerate a website’s databases and access their content, including user credentials and data submitted to a website via Formidable forms. If the WordPress installation includes the iThemes Sync WordPress maintenance plugin alongside Formidable Forms, then attacker can exploit the SQL injection flaw to obtain a user’s ID and authentication key.
Jouke Pynnonen wrote in a post:
“The plugin implemented a form preview AJAX function accessible to anyone without authentication. The function accepted some parameters affecting the way it generates the form preview HTML. Parameters after_html and before_html could be used to add custom HTML after and before the form. Most of the vulnerabilities relied on this feature.”
Formidable Forms fixed the flaws with the release of versions 2.05.02 and 3.
A Security researcher named Pynnonen found a bug in Bug Bounty program and earned $4,500 for the SQL injection flaw and a few hundred dollars for each of the other security flaws.