Login

Tag Archives: Formidable Forms

Plugin Security Scorecard Grade for Formidable Forms

Checked on October 28, 2024
C+

See issues causing the plugin to get less than A+ grade

6 Jun 2024

400,000+ Install WordPress Plugin Formidable Forms Is Missing More Basic Security Checks

In January, because at least one of our customers was using the 400,000+ install WordPress plugin Formidable Forms, we looked into a changelog entry for the then latest version of the plugin that suggested a cross-site request forgery (CSRF) vulnerability had been fixed. We confirmed that the developer had indeed addressed an instance of CSRF, but we also found that code similar to what was being fixed was still vulnerable to that. It turns out that version had also added yet another instance of the issue. That is striking since protection against CSRF is a really basic element of securing a WordPress plugin, so not something that should be an issue with such a popular plugin. The additional instance has yet another missing basic security check as well.

Last week, a new version of the plugin was released. The update was flagged by our system that uses machine learning, a form of artificial intelligence (AI), to try to detect when vulnerabilities have been fixed, but haven’t been disclosed, in plugins used by our customers. We found a security change being made, which changed the following line that was previously bringing in user input without sanitizing it (which is yet another security issue): [Read more]

16 Feb 2024

How Our Customers Helped Make WordPress Plugins More Secure, Week of February 16

Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.

Cross-Site Request Forgery (CSRF) Vulnerability Fixed in Formidable Forms

In January, we found that the developers of the 300,000+ install Formidable Forms had incompletely addressed an issue with cross-site request forgery (CSRF) in the plugin. We found that because at least one of our customers was using the plugin and there was a new version released that suggested there might be a fix for that type of issue. Earlier this week, the developer release an update that fixed the remaining issue. [Read more]

6 Sep 2019

Cross-Site Request Forgery (CSRF) Vulnerability in Formidable Forms

The three most recent releases of the plugin Formidable Forms have all fixed security vulnerabilities, which isn’t a great sign for a plugin with 200,000+ installs. The oldest fixed a PHP object injection vulnerability, the next release fixed a persistent cross-site scripting (XSS) vulnerability, and the most recent version fixed a cross-site request forgery (CSRF)/PHP objection injection vulnerability we spotted through our proactive monitoring of changes made to plugins to try catch serious vulnerabilities as they are introduced in to plugins. The next release likely is going to fix yet another vulnerability as we noticed yet another vulnerability when we were looking into the details of the persistent XSS vulnerability having been fixed, which also seems connected to the vulnerability we previously found and disclosed.

The vulnerability in this case could allow an attacker to cause entry submissions for the plugin’s forms to be deleted without the person directly causing the deletion to intend it, which is referred to as cross-site request forgery (CSRF). [Read more]

30 Aug 2019

Our Proactive Monitoring Caught a CSRF/PHP Object Injection Vulnerability in Formidable Forms

One of the ways we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a cross-site request forgery (CSRF)/PHP object injection vulnerability in to the plugin Formidable Forms, which has 200,000+ installs according to wordpress.org.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

30 Aug 2019

Vulnerability Details: Persistent Cross-Site Scripting (XSS) in Formidable Forms

The idea that popular WordPress plugins are secure is often disputed by reality as has been the case with the plugin Formidable Forms, which has had its two most recent releases fix fairly serious security vulnerabilities (the next version will likely fix a less serious vulnerability). The older of those two, fixed a PHP object injection vulnerability and the more recent fixed a persistent cross-site scripting (XSS) vulnerability. In regards to that latter issue, one of the changelog entries for the latest version is “Security: Correctly escape values on the View Entry page.” There were two sets of changes that could relate to that.

[Read more]

12 Aug 2019

Vulnerability Details: PHP Object Injection in Formidable Forms

One of the changelog entries for the latest version of Formidable Forms is “Security: Fix vulnerability with unserializing.” Looking at the changes made confirmed what that suggests, there was a PHP objection injection in the plugin. It seems possible there could still be an issue if using addons for the plugin, but with the plugin itself it has been fixed.

[Read more]

1 Dec 2017

What Happened With WordPress Plugin Vulnerabilities in November 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during November (and what you have been missing out on if you haven’t signed up yet): [Read more]

9 Nov 2017

Properly Limiting Access to AJAX Accessible Functions Can Prevent Insecure Code from Being Exploited in WordPress Plugins

We recently introduced a tool for doing limited automated security checks of WordPress plugins. In putting that together we have tried to strike a balance between warning about enough possible issues to effectively identify real issues and trying to limit unnecessarily warning about things that are not real issues. That isn’t easy because most security vulnerabilities are not easy to spot, if they were, they likely would have been fixed by now and security wouldn’t be a big issue.

One of the areas we have decided to air on the side of warning of possible issues while knowing that plugins with perfectly secure code will be identified, is with plugin’s allowing functions to be accessed through AJAX to those logged in to WordPress as well as those not logged in. As a recent situation with the plugin Formidable Forms shows, allowing those not logged in to access those they don’t need to be able to access can introduce security issues that would not otherwise exist. [Read more]

9 Nov 2017

Vulnerability Details: Shortcode Execution Vulnerability in Formidable Forms

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

When Robert Mathews disclosed that an authenticated remote code execution (RCE) vulnerability that had been in the plugin Shortcodes Ultimate was being exploited his description of the issue also indicated that there has been a vulnerability in the plugin Formidable Forms: [Read more]