Formidable Registration < 2.12 – Contributor+ Arbitrary User Password Reset To Account Takeover | CVE 2024-1290 | Plugin Vulnerabilities

Description

The plugin does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts.

Proof of Concept

1. ADMIN: Install Formidable Pro plugin
2. ADMIN: Install Formidable Registration plugin
3. CONTRIBUTOR: Add shortcode to any post and specify user ID and save
4. CONTRIBUTOR: Preview post and see link to reset password (at this point this can be handled by any user/non-user)
5. CONTRIBUTOR: Change the password for user through that form and hit submit
6. CONTRIBUTOR: Logout and then log into the other user with the new password

Example shortcode: `[frm-set-password-link user_id="ANY_USER_ID"]`

Affects Plugins

formidable-registration

Fixed in 2.12

References

CVE

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Scott Kingsley Clark

Submitter

Scott Kingsley Clark

Submitter website

https://skc.dev

Submitter twitter

Verified

Yes

WPVDB ID

a60187d4-9491-435a-bc36-8dd348a1ffa3

Timeline

Publicly Published

2024-02-19 (about 1 year ago)

Added

2024-02-19 (about 1 year ago)

Last Updated

2024-02-19 (about 1 year ago)

Other

Published

Title

Published

2025-03-06

Title

InWave Jobs <= 3.5.1 - Unauthenticated Privilege Escalation

Published

2023-08-11

Title

Premium Packages - Sell Digital Products Securely < 5.7.5 - Subscriber+ Privilege Escalation

Published

2023-08-03

Title

WP Ultimate CSV Importer < 7.9.9 - Author+ Privilege Escalation

Published

2024-07-09

Title

ProfileGrid – User Profiles, Groups and Communities < 5.9.0 - Authenticated (Subscriber+) Authorization Bypass to Privilege Escalation

Published

2024-10-18

Title

GERRYWORKS Post by Mail <= 1.0 - Contributor+ Privilege Escalation