Connect with us

Hi, what are you looking for?


Data Protection

WordPress Sites Exposed to Attacks by ‘Formidable Forms’ Flaws

Vulnerabilities found by a researcher in a popular WordPress plugin can be exploited by malicious actors to gain access to sensitive data and take control of affected websites.

Vulnerabilities found by a researcher in a popular WordPress plugin can be exploited by malicious actors to gain access to sensitive data and take control of affected websites.

Formidable Forms, available both for free and as a paid version that provides additional features, is a plugin that allows users to easily create contact pages, polls and surveys, and other types of forms. The plugin has more than 200,000 active installations.

Jouko Pynnönen of Finland-based company Klikki Oy has analyzed the plugin and discovered several vulnerabilities, including ones that introduce serious security risks for the websites using it.

The flaw with the highest severity is a blind SQL injection that can allow attackers to enumerate a website’s databases and obtain their content. Exposed data includes WordPress user credentials and data submitted to a website via Formidable forms.

The researcher also found another flaw that exposes data submitted via Formidable forms. Both this and the SQL injection bug are related to Formidable’s implementation of shortcodes, WordPress-specific code that allows users to add various types of content to their sites with very little effort.

Pynnonen also discovered reflected and stored cross-site scripting (XSS) vulnerabilities. The stored XSS allows an attacker to execute arbitrary JavaScript code in the context of an administrator’s browsing session – the attacker injects the malicious code via forms and it gets executed when viewed by the site admin in the WordPress dashboard.

The expert also noticed that if the iThemes Sync WordPress maintenance plugin is present alongside Formidable Forms, an attacker can exploit the aforementioned SQL injection flaw to obtain a user’s ID and authentication key. This information can be used to control WordPress via iThemes Sync, including to add new admins or install plugins.

Advertisement. Scroll to continue reading.

Formidable Forms addressed the vulnerabilities with the release of versions 2.05.02 and 2.05.03. iThemes Sync does not view the attack vector described by the researcher as a vulnerability so it has decided not to release a patch.

Pynnonen identified these flaws after being invited to take part in a HackerOne-hosted bug bounty program that offers rewards of up to $10,000. The program was run by an unnamed Singapore-based tech company, but the Formidable Forms vulnerabilities qualified for a bounty due to the fact that the plugin had been used by the firm. Exploitation of the flaws on the tech firm’s website could have allowed an attacker to gain access to personal information and other sensitive data.

The researcher earned $4,500 for the SQL injection vulnerability and a few hundred dollars for each of the other security holes. However, he is displeased that the Singaporean company downplayed the risks posed by the flaws and downgraded the severity of the SQL injection bug from “critical” to “high.”

Pynnonen previously identified serious vulnerabilities in Yahoo Mail, WordPress plugins and the WordPress core.

UPDATE 11/20/2017. The researcher has disclosed the name of the company offering the bug bounty. It’s Grab, formerly known as GrabTaxi, a ride-hailing and logistics services firm. The company has made public the HackerOne entry for these vulnerabilities and posted a statement to clarify its decision.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.