Formidable Forms < 6.1 – IP Spoofing | CVE 2023-0816 | Plugin Vulnerabilities

Description

The plugin uses several potentially untrusted headers to determine the IP address of the client, leading to IP Address spoofing and bypass of anti-spam protections.

Proof of Concept

1. In WordPress's Settings > Discussion page, add your IP address to the Disallowed Comment Keys field. This will block form submissions from your IP address.
2. Submit the form, and intercept the request. Add the header `X-Forwarded-For: 192.1.2.3` (you may change the IP address to any other address).
3. See that the form submission is not blocked.

Affects Plugins

Fixed in 6.1

References

CVE

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://daniel-ruf.de

Verified

Yes

WPVDB ID

a281f63f-e295-4666-8a08-01b23cd5a744

Timeline

Publicly Published

2023-03-06 (about 2 years ago)

Added

2023-03-06 (about 2 years ago)

Last Updated

2023-03-06 (about 2 years ago)

Other

Published

Title

Published

2024-12-23

Title

Advanced Google reCAPTCHA < 1.26 - Brute Force Protection IP Unblock

Published

2019-05-29

Title

ConvertPlus <= 3.4.2 - Unauthenticated Arbitrary User Role Creation

Published

2015-02-26

Title

EasyCart 1.1.30 - 3.0.20 - Privilege Escalation

Published

2023-12-27

Title

Build App Online < 1.0.22 - Unauthenticated Account Takeover via Weak Password Reset Mechanism

Published

2022-04-28

Title

Countdown & Clock <= 3.0.6 - Pro Features Lock Bypass