cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score CVE-2024-9768,https://securityvulnerability.io/vulnerability/CVE-2024-9768,Unfiltered HTML Settings Vulnerability in Formidable Forms plugin,"The Formidable Forms WordPress plugin prior to version 6.14.1 contains a vulnerability that fails to adequately sanitize and escape certain settings. This oversight can enable users with high privileges, such as administrators, to carry out Stored Cross-Site Scripting (XSS) attacks, even when the unfiltered_html capability is restricted (for instance, in a multisite configuration). This vulnerability highlights the risks associated with improperly handled input and the importance of ensuring that plugins maintain rigorous security standards.",Wordpress,Formidable Forms,4.8,MEDIUM,0.00044999999227002263,false,,false,false,true,true,false,false,2024-11-21T06:00:09.876Z,0 CVE-2017-20194,https://securityvulnerability.io/vulnerability/CVE-2017-20194,Unauthenticated Attackers Can Export All Form Entries via Plugin Flaw,"The Formidable Form Builder plugin for WordPress has a vulnerability that allows for sensitive data exposure through the frm_forms_preview AJAX action. This flaw enables unseen attackers to export all entries submitted via form interfaces, posing a significant risk of data leakage. Affected versions of this plugin, up to and including 2.05.03, require immediate attention to safeguard against unauthorized data access. Site administrators must perform updates and implement security measures to mitigate exposure risks.",Wordpress,"Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder",5.3,MEDIUM,0.0004600000102072954,false,,false,false,false,,false,false,2024-10-16T07:31:52.606Z,0 CVE-2017-20192,https://securityvulnerability.io/vulnerability/CVE-2017-20192,Plugin Vulnerable to Stored Cross-Site Scripting,"The Formidable Form Builder plugin for WordPress contains a vulnerability that permits Stored Cross-Site Scripting (XSS) attacks via multiple parameters during form submissions, including 'after_html'. This flaw arises due to inadequate input sanitization and output escaping practices in versions earlier than 2.05.03. As a result, unauthenticated attackers can exploit this weakness to inject malicious web scripts, which may execute in the browsers of affected users, leading to potential data breaches and other security risks.",Wordpress,"Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder",8.3,HIGH,0.0005200000014156103,false,,false,false,false,,false,false,2024-10-16T06:43:36.437Z,0 CVE-2024-6725,https://securityvulnerability.io/vulnerability/CVE-2024-6725,Stored Cross-Site Scripting Vulnerability Affects Formidable Forms Plugin,"The Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘html’ parameter in all versions up to, and including, 6.11.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with form editing permissions and Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,"Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder",4.9,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-07-31T10:59:17.745Z,0 CVE-2024-0660,https://securityvulnerability.io/vulnerability/CVE-2024-0660,Formidable Forms Vulnerable to Cross-Site Request Forgery,"The Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.7.2. This is due to missing or incorrect nonce validation on the update_settings function. This makes it possible for unauthenticated attackers to change form settings and add malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",Wordpress,"Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder",4.3,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-02-05T21:21:59.377Z,0 CVE-2023-1405,https://securityvulnerability.io/vulnerability/CVE-2023-1405,Formidable Forms < 6.2 - Unauthenticated PHP Object Injection,"The Formidable Forms WordPress plugin prior to version 6.2 has a serious vulnerability that impacts the security of WordPress installations. The plugin fails to securely handle user input through unserialization, allowing unauthorized and anonymous users to achieve PHP Object Injection. This can lead to significant security risks, as attackers may exploit suitable PHP object gadgets to inject malicious objects, potentially manipulating application behavior, accessing sensitive data, or executing arbitrary code on the host server. Website administrators using this plugin should update immediately to secure their installations against possible exploitation.",Wordpress,Formidable Forms,7.5,HIGH,0.000539999979082495,false,,false,false,true,true,false,false,2024-01-16T15:56:18.763Z,0 CVE-2023-6842,https://securityvulnerability.io/vulnerability/CVE-2023-6842,Stored Cross-Site Scripting vulnerability in Formidable Forms plugin for WordPress,"The Formidable Forms plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS). This vulnerability arises from inadequate input sanitization and output escaping of the name and description field labels, which can be exploited by authenticated users with administrator-level access to inject malicious scripts. While primarily affecting multi-site installations and those with unfiltered HTML disabled, this flaw can also be exploited by users with extended permissions for form management, enabling lower-level users to carry out attacks on injected pages when accessed by other users.",Wordpress,"Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder",4.8,MEDIUM,0.0004799999878741801,false,,false,false,false,,false,false,2024-01-09T07:15:00.000Z,0 CVE-2023-6830,https://securityvulnerability.io/vulnerability/CVE-2023-6830,HTML Injection Vulnerability in Formidable Forms Plugin for WordPress,"The Formidable Forms plugin for WordPress is susceptible to HTML injection, allowing unauthenticated users to inject arbitrary HTML into form fields. Administrators viewing submitted form data may encounter this injected code in the Entries View Page, which could lead to potential admin area defacement or redirection to harmful sites. It is crucial for users to update to the latest version to mitigate these risks and protect their web applications from unauthorized access.",Wordpress,"Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder",6.1,MEDIUM,0.0005499999970197678,false,,false,false,false,,false,false,2024-01-09T07:15:00.000Z,0 CVE-2023-2877,https://securityvulnerability.io/vulnerability/CVE-2023-2877,Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution,"The Formidable Forms plugin for WordPress versions prior to 6.3.1 contains a significant security flaw where it fails to properly authorize users and validate URLs during the installation of add-ons. This vulnerability allows users with minimal roles, such as Subscribers, to install and activate any arbitrary plugins from the WordPress.org repository. This could lead to exploit scenarios including Remote Code Execution, whereby an attacker gains the ability to execute malicious code on the target site.",Wordpress,Formidable Forms,8.8,HIGH,0.0024500000290572643,false,,false,false,true,true,false,false,2023-06-27T14:15:00.000Z,0 CVE-2023-0816,https://securityvulnerability.io/vulnerability/CVE-2023-0816,Formidable Forms < 6.1 - IP Spoofing,"The Formidable Forms WordPress plugin before 6.1 uses several potentially untrusted headers to determine the IP address of the client, leading to IP Address spoofing and bypass of anti-spam protections.",Wordpress,Formidable Forms,6.5,MEDIUM,0.0007600000244565308,false,,false,false,false,,false,false,2023-03-27T16:15:00.000Z,0 CVE-2021-24884,https://securityvulnerability.io/vulnerability/CVE-2021-24884,Formidable Form Builder < 4.09.05 - Unauthenticated Stored Cross-Site Scripting,"The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like