“Formidable Forms” is a WordPress plugin that is available for both free and paid version that provides additional features, it enables users to quickly create contact pages, polls and surveys, and other kinds of forms. The plugin has more than 200,000 active installations.
Jouko Pynnönen (a security researcher from Finland) has analyzed Formidable Forms plugin and discovered many vulnerabilities that expose WordPress websites to attacks.
The most dangerous vulnerability is a blind SQL injection that can enable attackers to enumerate a site’s databases and retrieve their content. Retrieved data involves WordPress user credentials and data submitted to a website via Formidable forms.
According to the researcher:
“The plugin implemented a form preview AJAX function accessible to anyone without authentication. The function accepted some parameters affecting the way it generates the form preview HTML. Parameters after_html and before_html could be used to add custom HTML after and before the form. Most of the vulnerabilities relied on this feature.”
Pynnonen earned $4,500 for the SQL injection flaw and a few hundred dollars for each of the other security flaws.