CVE-2023-2877

2023-06-2714:15:11

[email protected]

web.nvd.nist.gov

113

formidable forms

wordpress plugin

security vulnerability

cve-2023-2877

remote code execution

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.5%

JSON

The Formidable Forms WordPress plugin before 6.3.1 does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site, leading to Remote Code Execution.

Affected configurations

Vulners

NVD

Node

strategy11formidable_formsRange<6.3.1

VendorProductVersionCPE
strategy11formidable_forms*cpe:2.3:a:strategy11:formidable_forms:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
strategy11	formidable_forms	*	cpe:2.3:a:strategy11:formidable_forms::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Formidable Forms",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "6.3.1"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]