CVE-2023-2877

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

8.8HIGH

EPSS

69.0%

top 1.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Formidable Forms Strategy11 Formidable Forms

Timeline

PublishedJun 27

Description

The Formidable Forms WordPress plugin before 6.3.1 does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site, leading to Remote Code Execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5unknown/formidable_forms< 6.3.1

▶NVDstrategy11/formidable_forms< 6.3.1

🔴Vulnerability Details

CVEList

Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution↗2023-06-27

▶

GHSA

GHSA-2x7r-m54m-f2pf: The Formidable Forms WordPress plugin before 6↗2023-06-27

▶

VulnCheck

Formidable Forms WordPress plugin Remote Code Execution Vulnerability↗2023

▶