Vulnerabilities found by a researcher in a popular WordPress plugin can be exploited by malicious actors to gain access to sensitive data and take control of affected websites.
Formidable Forms, available both for free and as a paid version that provides additional features, is a plugin that allows users to easily create contact pages, polls and surveys, and other types of forms. The plugin has more than 200,000 active installations.
Jouko Pynnönen of Finland-based company Klikki Oy has analyzed the plugin and discovered several vulnerabilities, including ones that introduce serious security risks for the websites using it.
The flaw with the highest severity is a blind SQL injection that can allow attackers to enumerate a website’s databases and obtain their content. Exposed data includes WordPress user credentials and data submitted to a website via Formidable forms.
The researcher also found another flaw that exposes data submitted via Formidable forms. Both this and the SQL injection bug are related to Formidable’s implementation of shortcodes, WordPress-specific code that allows users to add various types of content to their sites with very little effort.
The expert also noticed that if the iThemes Sync WordPress maintenance plugin is present alongside Formidable Forms, an attacker can exploit the aforementioned SQL injection flaw to obtain a user’s ID and authentication key. This information can be used to control WordPress via iThemes Sync, including to add new admins or install plugins.
Formidable Forms addressed the vulnerabilities with the release of versions 2.05.02 and 2.05.03. iThemes Sync does not view the attack vector described by the researcher as a vulnerability so it has decided not to release a patch.
Pynnonen identified these flaws after being invited to take part in a HackerOne-hosted bug bounty program that offers rewards of up to $10,000. The program was run by an unnamed Singapore-based tech company, but the Formidable Forms vulnerabilities qualified for a bounty due to the fact that the plugin had been used by the firm. Exploitation of the flaws on the tech firm’s website could have allowed an attacker to gain access to personal information and other sensitive data.
The researcher earned $4,500 for the SQL injection vulnerability and a few hundred dollars for each of the other security holes. However, he is displeased that the Singaporean company downplayed the risks posed by the flaws and downgraded the severity of the SQL injection bug from “critical” to “high.”
UPDATE 11/20/2017. The researcher has disclosed the name of the company offering the bug bounty. It’s Grab, formerly known as GrabTaxi, a ride-hailing and logistics services firm. The company has made public the HackerOne entry for these vulnerabilities and posted a statement to clarify its decision.