CVE-2023-2877
published 2023-06-27CVE-2023-2877: The Formidable Forms WordPress plugin before 6.3.1 does not adequately authorize the user or validate the plugin URL in its functionality for installing…
PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
22.45%
97.4th percentile
The Formidable Forms WordPress plugin before 6.3.1 does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site, leading to Remote Code Execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| strategy11 | formidable_forms | < 6.3.1 | 6.3.1 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2x7r-m54m-f2pf: The Formidable Forms WordPress plugin before 6
ghsa_unreviewed·2023-06-27
CVE-2023-2877 [HIGH] CWE-863 GHSA-2x7r-m54m-f2pf: The Formidable Forms WordPress plugin before 6
The Formidable Forms WordPress plugin before 6.3.1 does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site, leading to Remote Code Execution.
VulnCheck
Formidable Forms WordPress plugin Remote Code Execution Vulnerability
vulncheck·2023·CVSS 8.8
CVE-2023-2877 [HIGH] Formidable Forms WordPress plugin Remote Code Execution Vulnerability
Formidable Forms WordPress plugin Remote Code Execution Vulnerability
The Formidable Forms WordPress plugin before 6.3.1 does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site, leading to Remote Code Execution.
Affected: strategy11 Formidable Form Builder plugin for WordPress
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/formidable/formidable-forms-63-authent
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-06-27
Published
Exploited in the wild