CVE: Common Vulnerabilities and Exposures

alert

Notice: Keyword searching of CVE Records is now available in the search box above. Keywords may include a CVE ID (e.g., CVE-2024-1234), or one or more keywords separated by a space (e.g., authorization, SQL Injection, cross site scripting, etc.). Learn more here.

alert

Notice: Keyword searching of CVE Records is now available in the search box above. Keywords may include a CVE ID (e.g., CVE-2024-1234), or one or more keywords separated by a space (e.g., authorization, SQL Injection, cross site scripting, etc.). Learn more here.

Expand or collapse notification button

Required CVE Record Information

Description

The Formidable Forms WordPress plugin before 6.3.1 does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site, leading to Remote Code Execution.

CWE 1 Total

CWE-863 Incorrect Authorization

Product Status

Versions 1 Total

Default Status: unaffected

affected

Credits

Alex Sanford finder
WPScan coordinator

References 1 Total

https://wpscan.com/vulnerability/33765da5-c56e-42c1-83dd-fcaad976b402
external site
exploitvdb-entrytechnical-description

Updated: 2024-08-02

This container includes required additional information provided by the CVE Program for this vulnerability.

References 1 Total

https://wpscan.com/vulnerability/33765da5-c56e-42c1-83dd-fcaad976b402
external site
exploitvdb-entrytechnical-descriptionx_transferred

Authorized Data Publishers