Formidable Forms 2.0.07, Information Disclosure
The Formidable Forms plugin exposes a function to the public, which allows for preview of forms. Within the body of the form preview, a field named ‘_wp_http_referer’ is set. This will contain arguments passed through in the URL. Due to a do_shortcode call on line 816, in the file formidable/classes/controllers/FrmFormsController.php, it is possible to execute arbitrary short codes. Although due to URL encoding the scope of this vulnerability is limited, it could be possible to leverage this vulnerability to gain access to other plugins sensitive short codes, possibly leading to disclosure of CSRF tokens, or other sensitive data. This vulnerability would also allow an attacker to test to see whether a certain short code is available or not, and as such determine if a particular plugin is installed.
Update to version 2.0.08
Proof of Concept
The above URL would trigger the shortcode ‘myshortcode’.
- 2015-05-13: Discovered
- 2015-05-13: Vendor notified
- 2015-05-13: Vendor responded
- 2015-05-23: Version 2.0.08 released – issue resolved
- 2015-05-30: Advisory released