During a recent internal review of the Formidable Forms plugin, a serious security issue was detected which could potentially enable users with low privileges such as subscribers to install arbitrary plugins on vulnerable sites.
The exploitation of this vulnerability could grant malicious users the power to install any plugin available on downloads.wordpress.org, which can lead to a wide variety of attacks, including the upload of malicious content, creation of administrative users, or even a full site takeover.
We have reported the vulnerability to the authors of the plugin, who have responded by releasing Formidable Forms version 6.3.1 to mitigate this threat. We strongly advise that you update the affected plugin to this latest version and ensure you have robust security measures in place, such as Jetpack Protect.
Subscriber+ Arbitrary Plugin Installation
| Plugin Name | Formidable Forms |
| Plugin URI | https://wordpress.org/plugins/formidable/ |
| Author | https://formidableforms.com/ |
| Affected Versions | Versions lower than 6.3.1 |
| CVE ID | CVE-2023-2877 |
| WPScan ID | 33765da5-c56e-42c1-83dd-fcaad976b402 |
| CVSSv3.1 | 9.9 |
Formidable Forms provides a functionality within WP Admin for easily installing add‑ons. The vulnerability lies in the “FrmAddonsController::install_addon” function, which handles add‑on installation.
protected static function install_addon() {
require_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php';
$download_url = self::get_current_plugin();
if ( ! self::url_is_allowed( $download_url ) ) {
return array(
'message' => 'Plugin URL is not valid',
'success' => false,
);
}
// Create the plugin upgrader with our custom skin.
$installer = new Plugin_Upgrader( new FrmInstallerSkin() );
$installer->install( $download_url );
// Flush the cache and return the newly installed plugin basename.
wp_cache_flush();
$plugin = $installer->plugin_info();
if ( ! $plugin ) {
return array(
'message' => 'Plugin was not installed. ' . $installer->result,
'success' => false,
);
}
return $plugin;
}
The issue arises when the $download_url (which is user‑controlled) is not adequately validated before use, and the function does not check the current user’s privileges before allowing plugin installation.
public static function url_is_allowed( $download_url ) {
return (
FrmAppHelper::validate_url_is_in_s3_bucket( $download_url, 'zip' ) ||
( strpos( $download_url, 'https://downloads.wordpress.org/plugin' ) === 0 && substr_compare( $download_url, '.zip', -4 ) === 0 )
);
}
The ‘url_is_allowed’ function, intended to validate the download URL, simply checks whether the URL is located within an Amazon S3 bucket belonging to Formidable or is a download link from WordPress.org. Notably, the plugin version can be included in the URL, meaning that even outdated versions of plugins can be installed.
Unfortunately, this function is used in an weakly protected endpoint that is reachable by any logged‑in users, even those with only the subscriber role. This makes it possible for them to install any version of any plugin from the WordPress.org repository, including ones with known security vulnerabilities, thus enabling the easy attainment of RCE.
Proof of concept for this vulnerability will be available in the WPScan entry for this vulnerability on June 19th.
Conclusion
We encourage you to check the version of the Formidable Forms plugin in use on your site, and if it is within the affected range, perform an update as soon as possible.
At Jetpack, we are committed to ensuring your website’s protection against these types of vulnerabilities. It is highly recommended that you implement a security plan for your site that includes scanning for malicious files and maintaining regular backups. Jetpack offers a comprehensive solution to ensure the safety of your site and its visitors.
Credits
Original researcher: Alex Sanford
Many thanks to the rest of the WPScan team for their invaluable feedback, assistance, and corrections.
WPScan 
Leave a comment