Formidable Forms is a visual form builder WordPress plugin from Strategy 11. The free version has 200,000+ active installs which makes it one of the most popular contact form plugins for WordPress.
I noticed some potential security vulnerabilities in some of the more obscure AJAX actions they make available. Most of the actions are protected by a helpful function FrmAppHelper::permission_check() which checks if a user has the WordPress permission for the action as well as a valid nonce for the action. Kudos on implementing a system that makes it easy to be secure without duplicating code all over the place!
All of the actions uncovered require at least a valid WordPress account, but any account will work. If you are using this plugin, please update immediately.
Logged in users can retrieve Addon licenses
The ‘frm_fill_licenses’ AJAX action does not check for a nonce or any other authorization, allowing a user to retrieve a list of licenses from the formidablepro.com API with the hosts credentials.
frm_ajax Nonce leak
The other vulnerabilities below do require a valid nonce, though I did discover a location the ‘frm_ajax’ nonce was leaked out to a logged in user without proper authorization. I’m not going to reveal the method to retrieve it, but it was readily available.
Modify Form Fields
Using the leaked ‘frm_ajax’ an attacker is able to call many of the AJAX actions related to editing the forms. Without going into too much detail here, I was able to inject unfiltered javascript into an existing form that would be displayed to users.
Timeline
- 2/2/2016 Tried multiple contact emails to reach someone
- 2/3/2016 Located form on strategy11.com to try to use to contact
- 2/3/2016 11:46am Received response from developer
- 2/3/2016 11:59am Full disclosure sent
- 2/9/2016 Issues fixed in github repository
- 2/12/2016 Updated version released to wordpress.org repository