Threats Revealed in WordPress Sites via ‘Formidable Forms’ Flaws

A researcher found vulnerabilities in a famous WordPress plugin which malicious actors can exploit to obtain approach to sensitive data and hold control of harmful websites.

Formidable Form is a WordPress plugin that lets users to simply generate contact pages, polls and surveys, and several sorts of forms. The plugin is available in both free and paid version that offers additional features and has more than 200,000 active installations. Jouko Pynnönen from Klikki Oy Company, Finland; has examined the plugin and revealed numerous vulnerabilities, containing ones that present critical security threats to the websites utilizing it. The error with the maximum severity is an unsighted SQL injection that can permit attackers to compute a website’s records and acquire their content. Revealed data contains WordPress user credentials and data accepted to a website through Formidable forms.

The researcher also floated one more flaw that reveals data accepted through Formidable forms. Both this and the SQL injection virus are associated with Formidable’s execution of short-codes, WordPress-definite code that lets users increase several sorts of content to their websites with very slight struggle. Pynnonen also exposed mirrored and kept cross site scripting (XSS) susceptibility. The stored XSS lets an attacker implement random JavaScript code in the context of browsing session of administrator – the attacker inserts the malicious code through forms and it executes when observed by the website administrator in the WordPress panel.

The expert similarly observed that if the iThemes Sync WordPress upkeep plugin exists together with Formidable Forms. An attacker can utilize the aforesaid SQL injection error to acquire a user’s ID and a verification key. This data can be utilized to regulate WordPress through iThemes Sync, containing to add original admins or set up plugins. Formidable Forms mentioned the susceptibilities with the publication of different versions 2.05.02 and 2.05.03. iThemes Sync never views the threat vector defined by the researcher as a susceptibility so it did not release a patch.

Pynnonen recognized these errors after being requested to participate in a HackerOne-hosted virus bounty platform that provides rewards of up to $10,000. The platform was run by an unidentified tech company based in Singapore, but the Formidable Forms vulnerabilities capable of a bounty as a result of the element that the plugin had been utilized by the firm. Exploitation of the errors on the tech firm’s website could have permitted an attacker to obtain access to personal evidence and further sensitive data.

However, the researcher received about $4,500 for the SQL injection susceptibility and some hundred dollars for every extra security holes. Still, the researcher is dissatisfied that the Singapore based company moderated the threats posed by the errors and reduced the severity of the SQL injection virus from “dangerous” to “high”.

Pynnonen formerly recognized harmful susceptibilities in Yahoo Mail, WordPress plugins and the WordPress core.

Leave a Reply

Your email address will not be published. Required fields are marked *