“Formidable Forms” is a Wordpress plugin that is available for both free and paid version that provides additional features, it enables users to quickly create contact pages, polls and surveys, and other kinds of forms. The plugin has more than 200,000 active installations.
Jouko Pynnönen (a security researcher from Finland) has analyzed Formidable Forms plugin and discovered many vulnerabilities that expose Wordpress websites to attacks.
The most dangerous vulnerability is a blind SQL injection that can enable attackers to enumerate a site’s databases and retrieve their content. Retrieved data involves WordPress user credentials and data submitted to a website via Formidable forms.
According to the researcher:
“The plugin implemented a form preview AJAX function accessible to anyone without authentication. The function accepted some parameters affecting the way it generates the form preview HTML. Parameters after_html and before_html could be used to add custom HTML after and before the form. Most of the vulnerabilities relied on this feature.”
The plugin is also vulnerable to reflected and stored cross-site scripting (XSS) vulnerabilities. The stored one could be abused by an attacker to execute JavaScript code in the administrator’s browsing session. An attacker can insert a malicious code via forms and the code will be executed when the website admin load it on the dashboard.
Pynnonen earned $4,500 for the SQL injection flaw and a few hundred dollars for each of the other security flaws.
