The popular Formidable Forms plug-in, available in both free and paid versions, has more than 200,000 active installations. The plugin offers website owners a tool for creating contact pages, polls, polls and other forms
The well-known Finnish researcher Jouko Pynnönen, a specialist at Klikki Oy, warned of a number of critical vulnerability that he was able to detect in this product.
The most dangerous of the problems found was the vulnerability to SQL injections, which allows an attacker to extract the contents of a database of different sites, including the credentials of WordPress users and information added through Formidable forms. Also, the researcher writes that the data from the forms makes it possible to extract another bug related to the work of shortcodes.
In addition, the expert found several XSS vulnerabilities at once, allowing to execute malicious JavaScript code in the context of the administrator session. In fact, an attacker injects malicious code through an affected form, and it is executed when the resource administrator views it through the WordPress control panel.
Also, according to the analyst, the above-mentioned SQL vulnerability in Formidable Forms is dangerous for another plug-in, iThemes Sync. With this bug, an attacker can learn someone else’s user ID and authentication key, and then use this knowledge to manage WordPress through iThemes Sync. The hackers gets the opportunity to add new administrators and install plug-ins.
The developers of Formidable Forms have already eliminated all the bugs found by Pinnenen, releasing the updated versions of the plugin (2.05.02 and 2.05.03). The authors of iThemes Sync, in turn, refused to acknowledge the vulnerability described by the attack method, so in this case the patch should not be expected.
It’s worth noting that an unnamed Singapore company offered the researcher a reward for finding problems through a bug boutny program on the HackerOne platform. The fact is that the company uses Formidable Forms in its work and the vulnerabilities found could have catastrophic consequences for the business. In the end, for a vulnerability, Piennenen was paid $ 4,500, and for the remaining gaps, several hundred dollars. However, the specialist writes that he remained dissatisfied with the cooperation, as an unnamed Singapore organization reduced the status of SQL vulnerability from critical to high, and with this Paintenen strongly disagrees.