Formidable Forms WordPress Plugin is Vulnerable to SQL Injection and XSS Attacks

Formidable Forms WordPress plugin allows users to easily create contact pages, polls and surveys, and many other kinds of forms, it has more than 200,000 active installs. A security researcher named Jouko Pynnönen has analysed Formidable Forms plugin and discovered many vulnerabilities that expose WordPress websites to attacks. 

Blind SQL injection can be exploited to enumerate a website’s databases and access their content, including user credentials and data submitted to a website via Formidable forms. If the WordPress installation includes the iThemes Sync WordPress maintenance plugin alongside Formidable Forms, then attacker can exploit the SQL injection flaw to obtain a user’s ID and authentication key.

According to Security Affairs post, Expert has discovered both stored and reflected cross-site scripting (XSS) vulnerabilities in plugin. The stored XSS could be exploited to execute arbitrary JavaScript code in the context of an administrator’s browsing session. An attacker can inject a malicious code via forms, the code is executed when the site admin view it on the dashboard.

Jouke Pynnonen wrote in a post:

“The plugin implemented a form preview AJAX function accessible to anyone without authentication. The function accepted some parameters affecting the way it generates the form preview HTML. Parameters after_html and before_html could be used to add custom HTML after and before the form. Most of the vulnerabilities relied on this feature.”

Formidable Forms fixed the flaws with the release of versions 2.05.02 and 3.

A Security researcher named Pynnonen found a bug in Bug Bounty program and earned $4,500 for the SQL injection flaw and a few hundred dollars for each of the other security flaws.

Leave a Reply

Your email address will not be published. Required fields are marked *