Popular plugin Formidable Forms, available in both free and paid versions, has over 200,000 active installations. The plugin offers site owners a tool to create contact pages, polls, polls and other forms. The well-known Finnish researcher Jouko Pynnönen, a specialist at Klikki Oy, warned about a number of critical problems that he managed to found in this product.
The most dangerous problem found was An SQL injection vulnerability that allows an attacker to extract the contents of the database of various sites, including WordPress user credentials and information added via Formidable forms. The researcher also writes that data from forms allows you to extract another bug related to the work of shortcodes. In addition, the specialist discovered several XSS vulnerabilities at once, allowing the execution of malicious JavaScript code in the context of an administrator session. Essentially, the attacker injects malicious code through a vulnerable form, and it is executed when the resource administrator views it through the WordPress control panel.
Developers Formidable Forms has already fixed all the bugs found by Painnen by releasing updated versions of the plugin (2.05.02 and 2.05.03). The authors of iThemes Sync, in turn, refused to recognize the attack method described by the specialist as a vulnerability, so in this case you should not expect a patch.
It is worth noting that an unnamed Singaporean company offered the researcher a reward for discovering bugs through a bug boutny program on the HackerOne platform. The fact is that the company uses Formidable Forms in its work and the vulnerabilities found could have catastrophic consequences for the business. As a result, Painnen was paid $4,500 for the SQL vulnerability, and several hundred dollars for the rest of the breaches. However, the specialist writes that he was dissatisfied with the cooperation, since an unnamed Singaporean organization lowered the status of the SQL vulnerability from critical to high, and Painnen categorically disagrees with this.