Formidable Registration < 2.12 - Contributor+ Arbitrary User Password Reset To Account Takeover

Description The plugin does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts. 1. ADMIN: Install Formidable Pro plugin 2. ADMIN: Install Formidable...

Formidable Registration < 2.12 - Contributor+ Arbitrary User Password Reset To Account Takeover

Description The plugin does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts. PoC 1. ADMIN: Install Formidable Pro plugin 2. ADMIN: Install...

CVE-2024-0660

The Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.7.2. This is due to missing or incorrect nonce validation on the updatesettings function. This...

CVE-2024-0660

The Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.7.2. This is due to missing or incorrect nonce validation on the updatesettings function. This...

Cross site request forgery (csrf)

The Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.7.2. This is due to missing or incorrect nonce validation on the updatesettings function. This...

CVE-2024-0660 Formidable Forms <= 6.7.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.7.2. This is due to missing or incorrect nonce validation on the updatesettings function. This...

CVE-2024-0660 Formidable Forms <= 6.7.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.7.2. This is due to missing or incorrect nonce validation on the updatesettings function. This...

CVE-2024-0660

The CVE-2024-0660 entry concerns Formidable Forms for WordPress with CSRF in the update_settings path. Exact root cause: missing or incorrect nonce validation allows unauthenticated attackers to submit forged requests that alter form settings and inject malicious JavaScript, by prompting a site a...

WordPress plugin Formidable Forms security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin that supports personal blogs on PHP and MySQL servers. A security vulnerability exists in WordPress plugin...

PT-2024-15727 · WordPress · Formidable Forms

Name of the Vulnerable Software and Affected Versions: Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress versions up to, and including, 6.7.2 Description: The issue is due to missing or incorrect nonce validation on the update...

WordPress Formidable Forms Plugin <= 6.7 is vulnerable to Content Injection

Software Formidable Forms Type Plugin Vulnerable versions = 6.7 Fixed in 6.7.1 OWASP Top 10 A3: Injection Classification Content Injection CVE CVE-2024-23522 Patch priority Medium CVSS severity Medium 5.3 Developer Claim ownership PSID b82c61d4e6f0 Credits Revan Arifio Required privilege...

Formidable urql Cross-Site Scripting Vulnerability

Formidable urql is a customizable and versatile GraphQL client from Formidable. A cross-site scripting vulnerability exists in Formidable urql due to incorrect escaping of html-like characters in the response stream...

WordPress Formidable Forms Plugin <= 6.7.2 is vulnerable to Cross Site Request Forgery (CSRF)

Software Formidable Forms Type Plugin Vulnerable versions = 6.7.2 Fixed in 6.8 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2024-0660 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 7a7ac0638cbc Credits Webbernaut Required...

Formidable Forms < 6.8 - CSRF to Stored Cross-Site Scripting

Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the updatesettings function. This makes it possible for unauthenticated attackers to change form settings and add malicious JavaScript via a forged request granted they can trick a...

CVE-2023-1405

The Formidable Forms WordPress plugin before 6.2 unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present...

CVE-2023-1405

The Formidable Forms WordPress plugin before 6.2 unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present...

Design/Logic Flaw

The Formidable Forms WordPress plugin before 6.2 unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present...

CVE-2023-1405 Formidable Forms < 6.2 - Unauthenticated PHP Object Injection

The Formidable Forms WordPress plugin before 6.2 unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present...

CVE-2023-1405 Formidable Forms < 6.2 - Unauthenticated PHP Object Injection

The Formidable Forms WordPress plugin before 6.2 unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present...

CVE-2023-1405

CVE-2023-1405 affects the Formidable Forms WordPress plugin up to version 6.1.2. It arises from unserializing user input, enabling unauthenticated PHP Object Injection when a suitable gadget is present. Impact is HIGH (I:HIGH, A:NONE) with remote attacker access. Mitigation: upgrade to version 6....