Vulnerabilities (CVE)

Filtered by vendor Strategy11 Subscribe
Filtered by product Formidable Forms
Total 3 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-0660 1 Strategy11 1 Formidable Forms 2024-02-13 N/A 4.3 MEDIUM
The Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.7.2. This is due to missing or incorrect nonce validation on the update_settings function. This makes it possible for unauthenticated attackers to change form settings and add malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2023-1405 1 Strategy11 1 Formidable Forms 2024-02-05 N/A 7.5 HIGH
The Formidable Forms WordPress plugin before 6.2 unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present.
CVE-2023-2877 1 Strategy11 1 Formidable Forms 2024-02-04 N/A 8.8 HIGH
The Formidable Forms WordPress plugin before 6.3.1 does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site, leading to Remote Code Execution.