Vulnerabilites related to strategy11 - formidable_form_builder
Vulnerability from fkie_nvd
Published
2023-03-27 16:15
Modified
2025-02-19 17:15
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
The Formidable Forms WordPress plugin before 6.1 uses several potentially untrusted headers to determine the IP address of the client, leading to IP Address spoofing and bypass of anti-spam protections.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/a281f63f-e295-4666-8a08-01b23cd5a744 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/a281f63f-e295-4666-8a08-01b23cd5a744 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| strategy11 | formidable_form_builder | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:strategy11:formidable_form_builder:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "EE53A412-1B19-493C-A9A9-5821D1E22EA1",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Formidable Forms WordPress plugin before 6.1 uses several potentially untrusted headers to determine the IP address of the client, leading to IP Address spoofing and bypass of anti-spam protections."
}
],
"id": "CVE-2023-0816",
"lastModified": "2025-02-19T17:15:12.377",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-03-27T16:15:09.277",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/a281f63f-e295-4666-8a08-01b23cd5a744"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/a281f63f-e295-4666-8a08-01b23cd5a744"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-290"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-29 12:15
Modified
2024-11-21 04:29
Severity ?
Summary
The formidable plugin before 4.02.01 for WordPress has unsafe deserialization.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://pentest.co.uk/labs/advisory/cve-2019-15780/ | Third Party Advisory | |
| cve@mitre.org | https://raw.githubusercontent.com/Strategy11/formidable-forms/master/changelog.txt | Release Notes, Third Party Advisory | |
| cve@mitre.org | https://wordpress.org/plugins/formidable/#developers | Product, Third Party Advisory | |
| cve@mitre.org | https://wpvulndb.com/vulnerabilities/9935 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pentest.co.uk/labs/advisory/cve-2019-15780/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://raw.githubusercontent.com/Strategy11/formidable-forms/master/changelog.txt | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wordpress.org/plugins/formidable/#developers | Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpvulndb.com/vulnerabilities/9935 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| strategy11 | formidable_form_builder | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:strategy11:formidable_form_builder:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "CE456A63-9BA4-4EA7-A743-1280E58790E8",
"versionEndExcluding": "4.02.01",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The formidable plugin before 4.02.01 for WordPress has unsafe deserialization."
},
{
"lang": "es",
"value": "El plugin formidable versiones anteriores a 4.02.01 para WordPress, presenta una deserializaci\u00f3n no segura."
}
],
"id": "CVE-2019-15780",
"lastModified": "2024-11-21T04:29:26.930",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-29T12:15:11.610",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://pentest.co.uk/labs/advisory/cve-2019-15780/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://raw.githubusercontent.com/Strategy11/formidable-forms/master/changelog.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://wordpress.org/plugins/formidable/#developers"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://wpvulndb.com/vulnerabilities/9935"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://pentest.co.uk/labs/advisory/cve-2019-15780/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://raw.githubusercontent.com/Strategy11/formidable-forms/master/changelog.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://wordpress.org/plugins/formidable/#developers"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://wpvulndb.com/vulnerabilities/9935"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-25 14:15
Modified
2024-11-21 05:53
Severity ?
Summary
The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like <audio>,<video>,<img>,<a> and<button>.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the "data-frmverify" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdf | Exploit, Third Party Advisory | |
| contact@wpscan.com | https://github.com/Strategy11/formidable-forms/pull/335/files | Patch, Third Party Advisory | |
| contact@wpscan.com | https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdf | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Strategy11/formidable-forms/pull/335/files | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| strategy11 | formidable_form_builder | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:strategy11:formidable_form_builder:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "F5D020F6-F06B-4437-8BBF-CCF40D95AC45",
"versionEndExcluding": "4.09.05",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like \u003caudio\u003e,\u003cvideo\u003e,\u003cimg\u003e,\u003ca\u003e and\u003cbutton\u003e.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the \"data-frmverify\" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited."
},
{
"lang": "es",
"value": "El plugin Formidable Form Builder de WordPress versiones anteriores a 4.09.05, permite inyectar determinadas etiquetas HTML como ,,,\u003ca rel=\"nofollow\"\u003e y.Esto podr\u00eda permitir a un atacante remoto no autenticado explotar una inyecci\u00f3n HTML al inyectar un enlace malicioso. La inyecci\u00f3n HTML puede enga\u00f1ar a usuarios autenticados para que sigan el enlace. Si se hace clic en el Enlace, es posible ejecutar c\u00f3digo Javascript. La vulnerabilidad es debido a un saneamiento insuficiente de la etiqueta \"data-frmverify\" para los enlaces en la p\u00e1gina de inspecci\u00f3n de entrada de los sistemas afectados. Una explotaci\u00f3n con \u00e9xito en combinaci\u00f3n con CSRF podr\u00eda permitir al atacante llevar a cabo acciones arbitrarias en un sistema afectado con los privilegios del usuario. Estas acciones incluyen el robo de la cuenta del usuario al cambiar su contrase\u00f1a o permitir a atacantes enviar su propio c\u00f3digo mediante un usuario autenticado, resultando en una ejecuci\u00f3n de c\u00f3digo remota. Si un usuario autenticado que es capaz de editar el c\u00f3digo PHP de Wordpress en cualquier tipo, hace clic en el enlace malicioso, el c\u00f3digo PHP puede ser editado\u003c/a\u003e"
}
],
"id": "CVE-2021-24884",
"lastModified": "2024-11-21T05:53:56.980",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-25T14:15:10.867",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdf"
},
{
"source": "contact@wpscan.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Strategy11/formidable-forms/pull/335/files"
},
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Strategy11/formidable-forms/pull/335/files"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "contact@wpscan.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-01-09 07:15
Modified
2025-06-03 15:15
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
The Formidable Forms plugin for WordPress is vulnerable to HTML injection in versions up to, and including, 6.7. This vulnerability allows unauthenticated users to inject arbitrary HTML code into form fields. When the form data is viewed by an administrator in the Entries View Page, the injected HTML code is rendered, potentially leading to admin area defacement or redirection to malicious websites.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| strategy11 | formidable_form_builder | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:strategy11:formidable_form_builder:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "339745B1-F228-40CE-94C1-F47F266B27EF",
"versionEndIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Formidable Forms plugin for WordPress is vulnerable to HTML injection in versions up to, and including, 6.7. This vulnerability allows unauthenticated users to inject arbitrary HTML code into form fields. When the form data is viewed by an administrator in the Entries View Page, the injected HTML code is rendered, potentially leading to admin area defacement or redirection to malicious websites."
},
{
"lang": "es",
"value": "Formidable Forms complemento para WordPress es vulnerable a la inyecci\u00f3n de HTML en versiones hasta la 6.7 incluida. Esta vulnerabilidad permite a usuarios no autenticados inyectar c\u00f3digo HTML arbitrario en campos de formulario. Cuando un administrador ve los datos del formulario en la p\u00e1gina de vista de entradas, se procesa el c\u00f3digo HTML inyectado, lo que puede provocar la destrucci\u00f3n del \u00e1rea de administraci\u00f3n o la redirecci\u00f3n a sitios web maliciosos."
}
],
"id": "CVE-2023-6830",
"lastModified": "2025-06-03T15:15:52.143",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-09T07:15:13.223",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3017166%40formidable%2Ftrunk\u0026old=3009066%40formidable%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ff294b0f-97fe-4d27-bf93-f5bbb57ac1f6?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3017166%40formidable%2Ftrunk\u0026old=3009066%40formidable%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ff294b0f-97fe-4d27-bf93-f5bbb57ac1f6?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-28 14:15
Modified
2024-11-21 07:47
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Form Builder Team Formidable Forms plugin <= 5.5.6 versions.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| strategy11 | formidable_form_builder | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:strategy11:formidable_form_builder:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "471D6611-251C-4480-A474-B7090893DC73",
"versionEndExcluding": "5.5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Form Builder Team Formidable Forms plugin\u00a0\u003c= 5.5.6 versions."
}
],
"id": "CVE-2023-24419",
"lastModified": "2024-11-21T07:47:49.820",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-28T14:15:09.540",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/formidable/wordpress-formidable-forms-plugin-5-5-6-cross-site-request-forgery-csrf?_s_id=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/formidable/wordpress-formidable-forms-plugin-5-5-6-cross-site-request-forgery-csrf?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-10-16 08:15
Modified
2024-10-30 21:00
Severity ?
Summary
The Formidable Form Builder plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.05.03 via the frm_forms_preview AJAX action. This makes it possible for unauthenticated attackers to export all of the form entries for a given form.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@wordfence.com | https://klikki.fi/formidable-forms-vulnerabilities/ | Exploit, Third Party Advisory | |
| security@wordfence.com | https://www.wordfence.com/threat-intel/vulnerabilities/id/c7600fe1-94e4-4e3e-a9a6-ff3589813715?source=cve | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| strategy11 | formidable_form_builder | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:strategy11:formidable_form_builder:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FBE5CB42-C01D-417D-9F32-B19759A96BBB",
"versionEndIncluding": "2.05.03",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Formidable Form Builder plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.05.03 via the frm_forms_preview AJAX action. This makes it possible for unauthenticated attackers to export all of the form entries for a given form."
},
{
"lang": "es",
"value": "El complemento Formidable Form Builder para WordPress es vulnerable a la exposici\u00f3n de datos confidenciales en versiones hasta la 2.05.03 incluida a trav\u00e9s de la acci\u00f3n AJAX frm_forms_preview. Esto permite que atacantes no autenticados exporten todas las entradas de formulario de un formulario determinado."
}
],
"id": "CVE-2017-20194",
"lastModified": "2024-10-30T21:00:25.973",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@wordfence.com",
"type": "Primary"
}
]
},
"published": "2024-10-16T08:15:03.453",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://klikki.fi/formidable-forms-vulnerabilities/"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7600fe1-94e4-4e3e-a9a6-ff3589813715?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-25 14:15
Modified
2024-11-21 05:53
Severity ?
Summary
The Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://plugins.trac.wordpress.org/changeset/2609911 | Patch, Third Party Advisory | |
| contact@wpscan.com | https://wpscan.com/vulnerability/75305ea8-730b-4caf-a3c6-cb94adee683c | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://plugins.trac.wordpress.org/changeset/2609911 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/75305ea8-730b-4caf-a3c6-cb94adee683c | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| strategy11 | formidable_form_builder | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:strategy11:formidable_form_builder:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0776080F-0136-476B-A879-60232D5BBBBB",
"versionEndExcluding": "5.0.07",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Formidable Form Builder \u2013 Contact Form, Survey \u0026 Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form\u0027s Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed"
},
{
"lang": "es",
"value": "El plugin Formidable Form Builder - Contact Form, Survey \u0026amp; Quiz Forms para WordPress versiones anteriores a 5.0.07, no sanea ni escapa de las etiquetas de sus formularios, lo que permite a usuarios con altos privilegios llevar a cabo ataques de Cross-Site Scripting incluso cuando la capacidad unfiltered_html no est\u00e1 permitida"
}
],
"id": "CVE-2021-24608",
"lastModified": "2024-11-21T05:53:24.117",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-25T14:15:10.397",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset/2609911"
},
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/75305ea8-730b-4caf-a3c6-cb94adee683c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset/2609911"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/75305ea8-730b-4caf-a3c6-cb94adee683c"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "contact@wpscan.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-01-09 07:15
Modified
2024-11-21 08:44
Severity ?
4.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
The Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the name field label and description field label parameter in all versions up to 6.7 (inclusive) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this only affects multi-site installations and installations where unfiltered_html has been disabled. However, in the formidable settings admins can extend form creation, deletion and other management permissions to other user types, which makes it possible for this vulnerability to be exploited by lower level user types as long as they have been granted the proper permissions.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| strategy11 | formidable_form_builder | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:strategy11:formidable_form_builder:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "339745B1-F228-40CE-94C1-F47F266B27EF",
"versionEndIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Formidable Forms \u2013 Contact Form, Survey, Quiz, Payment, Calculator Form \u0026 Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the name field label and description field label parameter in all versions up to 6.7 (inclusive) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this only affects multi-site installations and installations where unfiltered_html has been disabled. However, in the formidable settings admins can extend form creation, deletion and other management permissions to other user types, which makes it possible for this vulnerability to be exploited by lower level user types as long as they have been granted the proper permissions."
},
{
"lang": "es",
"value": "Formidable Forms \u2013 Contact Form, Survey, Quiz, Payment, Calculator Form \u0026amp; Custom Form Builder complemento para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de la etiqueta name field y el par\u00e1metro description field label en todas las versiones hasta 6.7 (incluida) debido a una debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso a nivel de administrador, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada. De forma predeterminada, esto solo afecta a las instalaciones multisitio y a las instalaciones en las que se ha deshabilitado unfiltered_html. Sin embargo, en la configuraci\u00f3n formidable, los administradores pueden extender la creaci\u00f3n de formularios, la eliminaci\u00f3n y otros permisos de administraci\u00f3n a otros tipos de usuarios, lo que hace posible que esta vulnerabilidad sea explotada por tipos de usuarios de nivel inferior siempre que se les hayan otorgado los permisos adecuados."
}
],
"id": "CVE-2023-6842",
"lastModified": "2024-11-21T08:44:39.673",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 2.7,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-09T07:15:14.330",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3017166%40formidable%2Ftrunk\u0026old=3009066%40formidable%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/47e402c3-e06c-4ac9-8c60-5666cb1101ce?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3017166%40formidable%2Ftrunk\u0026old=3009066%40formidable%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/47e402c3-e06c-4ac9-8c60-5666cb1101ce?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-0816 (GCVE-0-2023-0816)
Vulnerability from cvelistv5
Published
2023-03-27 15:37
Modified
2025-02-19 16:52
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Formidable Forms WordPress plugin before 6.1 uses several potentially untrusted headers to determine the IP address of the client, leading to IP Address spoofing and bypass of anti-spam protections.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/a281f63f-e295-4666-8a08-01b23cd5a744 | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Formidable Forms |
Version: 0 < 6.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:24:34.336Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/a281f63f-e295-4666-8a08-01b23cd5a744"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-0816",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T16:52:28.681035Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T16:52:34.177Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Formidable Forms",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Ruf"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Formidable Forms WordPress plugin before 6.1 uses several potentially untrusted headers to determine the IP address of the client, leading to IP Address spoofing and bypass of anti-spam protections."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-04T07:08:45.248Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/a281f63f-e295-4666-8a08-01b23cd5a744"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Formidable Forms \u003c 6.1 - IP Spoofing",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2023-0816",
"datePublished": "2023-03-27T15:37:17.374Z",
"dateReserved": "2023-02-13T19:02:20.951Z",
"dateUpdated": "2025-02-19T16:52:34.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24608 (GCVE-0-2021-24608)
Vulnerability from cvelistv5
Published
2021-10-25 13:20
Modified
2024-08-03 19:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
The Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/75305ea8-730b-4caf-a3c6-cb94adee683c | x_refsource_MISC | |
| https://plugins.trac.wordpress.org/changeset/2609911 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress |
Version: 5.0.07 < 5.0.07 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:20.214Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/75305ea8-730b-4caf-a3c6-cb94adee683c"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2609911"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Formidable Form Builder \u2013 Contact Form, Survey \u0026 Quiz Forms Plugin for WordPress",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.0.07",
"status": "affected",
"version": "5.0.07",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Asif Nawaz Minhas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Formidable Form Builder \u2013 Contact Form, Survey \u0026 Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form\u0027s Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-25T13:20:45",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/75305ea8-730b-4caf-a3c6-cb94adee683c"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2609911"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Formidable Form Builder \u003c 5.0.07 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24608",
"STATE": "PUBLIC",
"TITLE": "Formidable Form Builder \u003c 5.0.07 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Formidable Form Builder \u2013 Contact Form, Survey \u0026 Quiz Forms Plugin for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "5.0.07",
"version_value": "5.0.07"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Asif Nawaz Minhas"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Formidable Form Builder \u2013 Contact Form, Survey \u0026 Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form\u0027s Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/75305ea8-730b-4caf-a3c6-cb94adee683c",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/75305ea8-730b-4caf-a3c6-cb94adee683c"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2609911",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2609911"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24608",
"datePublished": "2021-10-25T13:20:45",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:35:20.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6842 (GCVE-0-2023-6842)
Vulnerability from cvelistv5
Published
2024-01-09 06:41
Modified
2025-06-17 20:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the name field label and description field label parameter in all versions up to 6.7 (inclusive) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this only affects multi-site installations and installations where unfiltered_html has been disabled. However, in the formidable settings admins can extend form creation, deletion and other management permissions to other user types, which makes it possible for this vulnerability to be exploited by lower level user types as long as they have been granted the proper permissions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sswells | Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder |
Version: * ≤ 6.7 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:42:07.628Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/47e402c3-e06c-4ac9-8c60-5666cb1101ce?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3017166%40formidable%2Ftrunk\u0026old=3009066%40formidable%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6842",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-30T17:09:08.586662Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:39:18.211Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Formidable Forms \u2013 Contact Form, Survey, Quiz, Payment, Calculator Form \u0026 Custom Form Builder",
"vendor": "sswells",
"versions": [
{
"lessThanOrEqual": "6.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pedro Paniago"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Formidable Forms \u2013 Contact Form, Survey, Quiz, Payment, Calculator Form \u0026 Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the name field label and description field label parameter in all versions up to 6.7 (inclusive) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this only affects multi-site installations and installations where unfiltered_html has been disabled. However, in the formidable settings admins can extend form creation, deletion and other management permissions to other user types, which makes it possible for this vulnerability to be exploited by lower level user types as long as they have been granted the proper permissions."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-09T06:41:00.196Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/47e402c3-e06c-4ac9-8c60-5666cb1101ce?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3017166%40formidable%2Ftrunk\u0026old=3009066%40formidable%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-08T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6842",
"datePublished": "2024-01-09T06:41:00.196Z",
"dateReserved": "2023-12-15T13:29:39.406Z",
"dateUpdated": "2025-06-17T20:39:18.211Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15780 (GCVE-0-2019-15780)
Vulnerability from cvelistv5
Published
2019-08-29 11:55
Modified
2024-08-05 00:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The formidable plugin before 4.02.01 for WordPress has unsafe deserialization.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wordpress.org/plugins/formidable/#developers | x_refsource_MISC | |
| https://pentest.co.uk/labs/advisory/cve-2019-15780/ | x_refsource_MISC | |
| https://raw.githubusercontent.com/Strategy11/formidable-forms/master/changelog.txt | x_refsource_CONFIRM | |
| https://wpvulndb.com/vulnerabilities/9935 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:56:22.462Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/formidable/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pentest.co.uk/labs/advisory/cve-2019-15780/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://raw.githubusercontent.com/Strategy11/formidable-forms/master/changelog.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9935"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The formidable plugin before 4.02.01 for WordPress has unsafe deserialization."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-04T08:06:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/formidable/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pentest.co.uk/labs/advisory/cve-2019-15780/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://raw.githubusercontent.com/Strategy11/formidable-forms/master/changelog.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9935"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15780",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The formidable plugin before 4.02.01 for WordPress has unsafe deserialization."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/formidable/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/formidable/#developers"
},
{
"name": "https://pentest.co.uk/labs/advisory/cve-2019-15780/",
"refsource": "MISC",
"url": "https://pentest.co.uk/labs/advisory/cve-2019-15780/"
},
{
"name": "https://raw.githubusercontent.com/Strategy11/formidable-forms/master/changelog.txt",
"refsource": "CONFIRM",
"url": "https://raw.githubusercontent.com/Strategy11/formidable-forms/master/changelog.txt"
},
{
"name": "https://wpvulndb.com/vulnerabilities/9935",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9935"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15780",
"datePublished": "2019-08-29T11:55:16",
"dateReserved": "2019-08-29T00:00:00",
"dateUpdated": "2024-08-05T00:56:22.462Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-24419 (GCVE-0-2023-24419)
Vulnerability from cvelistv5
Published
2023-02-28 13:35
Modified
2024-08-02 14:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Form Builder Team Formidable Forms plugin <= 5.5.6 versions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Strategy11 Form Builder Team | Formidable Forms |
Version: n/a < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:56:03.821Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/formidable/wordpress-formidable-forms-plugin-5-5-6-cross-site-request-forgery-csrf?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-24419",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T14:43:47.742102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T14:46:32.898Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "formidable",
"product": "Formidable Forms",
"vendor": "Strategy11 Form Builder Team",
"versions": [
{
"changes": [
{
"at": "5.5.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.5.6",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafshanzani Suhada (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Form Builder Team Formidable Forms plugin\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;\u0026lt;= 5.5.6 versions.\u003c/span\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Form Builder Team Formidable Forms plugin\u00a0\u003c= 5.5.6 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-28T13:35:36.994Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/formidable/wordpress-formidable-forms-plugin-5-5-6-cross-site-request-forgery-csrf?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;5.5.7 or a higher version."
}
],
"value": "Update to\u00a05.5.7 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Formidable Forms Plugin \u003c= 5.5.6 is vulnerable to Cross Site Request Forgery (CSRF)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-24419",
"datePublished": "2023-02-28T13:35:36.994Z",
"dateReserved": "2023-01-23T18:16:53.497Z",
"dateUpdated": "2024-08-02T14:46:32.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6830 (GCVE-0-2023-6830)
Vulnerability from cvelistv5
Published
2024-01-09 06:41
Modified
2025-06-03 14:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Formidable Forms plugin for WordPress is vulnerable to HTML injection in versions up to, and including, 6.7. This vulnerability allows unauthenticated users to inject arbitrary HTML code into form fields. When the form data is viewed by an administrator in the Entries View Page, the injected HTML code is rendered, potentially leading to admin area defacement or redirection to malicious websites.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sswells | Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder |
Version: * ≤ 6.7 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:42:07.656Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ff294b0f-97fe-4d27-bf93-f5bbb57ac1f6?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3017166%40formidable%2Ftrunk\u0026old=3009066%40formidable%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6830",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T20:10:31.752860Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:33:09.789Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Formidable Forms \u2013 Contact Form, Survey, Quiz, Payment, Calculator Form \u0026 Custom Form Builder",
"vendor": "sswells",
"versions": [
{
"lessThanOrEqual": "6.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pedro Paniago"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Formidable Forms plugin for WordPress is vulnerable to HTML injection in versions up to, and including, 6.7. This vulnerability allows unauthenticated users to inject arbitrary HTML code into form fields. When the form data is viewed by an administrator in the Entries View Page, the injected HTML code is rendered, potentially leading to admin area defacement or redirection to malicious websites."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-09T06:41:00.765Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ff294b0f-97fe-4d27-bf93-f5bbb57ac1f6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3017166%40formidable%2Ftrunk\u0026old=3009066%40formidable%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-08T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6830",
"datePublished": "2024-01-09T06:41:00.765Z",
"dateReserved": "2023-12-14T21:09:20.081Z",
"dateUpdated": "2025-06-03T14:33:09.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-20194 (GCVE-0-2017-20194)
Vulnerability from cvelistv5
Published
2024-10-16 07:31
Modified
2024-10-16 17:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
The Formidable Form Builder plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.05.03 via the frm_forms_preview AJAX action. This makes it possible for unauthenticated attackers to export all of the form entries for a given form.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| strategy11team | Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder |
Version: * ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:strategy11:formidable_forms:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "formidable_forms",
"vendor": "strategy11",
"versions": [
{
"lessThan": "2.05.03",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2017-20194",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-16T15:34:12.388970Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T17:26:14.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Formidable Forms \u2013 Contact Form Plugin, Survey, Quiz, Payment, Calculator Form \u0026 Custom Form Builder",
"vendor": "strategy11team",
"versions": [
{
"lessThan": "2.05.03",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jouko Pynn\u00f6ne"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Formidable Form Builder plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.05.03 via the frm_forms_preview AJAX action. This makes it possible for unauthenticated attackers to export all of the form entries for a given form."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T07:31:52.606Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7600fe1-94e4-4e3e-a9a6-ff3589813715?source=cve"
},
{
"url": "https://klikki.fi/formidable-forms-vulnerabilities/"
}
],
"timeline": [
{
"lang": "en",
"time": "2017-11-12T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Formidable Form Builder \u003c 2.05.03 - Unauthenticated Information Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2017-20194",
"datePublished": "2024-10-16T07:31:52.606Z",
"dateReserved": "2024-10-15T18:53:12.729Z",
"dateUpdated": "2024-10-16T17:26:14.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24884 (GCVE-0-2021-24884)
Vulnerability from cvelistv5
Published
2021-10-25 13:20
Modified
2024-08-03 19:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like <audio>,<video>,<img>,<a> and<button>.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the "data-frmverify" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533 | x_refsource_MISC | |
| https://github.com/Strategy11/formidable-forms/pull/335/files | x_refsource_MISC | |
| https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdf | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress |
Version: 4.09.05 < 4.09.05 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:49:14.206Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Strategy11/formidable-forms/pull/335/files"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Formidable Form Builder \u2013 Contact Form, Survey \u0026 Quiz Forms Plugin for WordPress",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.09.05",
"status": "affected",
"version": "4.09.05",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Maximilian Barz"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like \u003caudio\u003e,\u003cvideo\u003e,\u003cimg\u003e,\u003ca\u003e and\u003cbutton\u003e.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the \"data-frmverify\" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-25T13:20:59",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Strategy11/formidable-forms/pull/335/files"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdf"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Formidable Form Builder \u003c 4.09.05 - Unauthenticated Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24884",
"STATE": "PUBLIC",
"TITLE": "Formidable Form Builder \u003c 4.09.05 - Unauthenticated Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Formidable Form Builder \u2013 Contact Form, Survey \u0026 Quiz Forms Plugin for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.09.05",
"version_value": "4.09.05"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Maximilian Barz"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like \u003caudio\u003e,\u003cvideo\u003e,\u003cimg\u003e,\u003ca\u003e and\u003cbutton\u003e.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the \"data-frmverify\" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533"
},
{
"name": "https://github.com/Strategy11/formidable-forms/pull/335/files",
"refsource": "MISC",
"url": "https://github.com/Strategy11/formidable-forms/pull/335/files"
},
{
"name": "https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdf",
"refsource": "MISC",
"url": "https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdf"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24884",
"datePublished": "2021-10-25T13:20:59",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:49:14.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}