Formidable Forms < 6.2 - Unauthenticated PHP Object Injection

Vulnerability

The Formidable Forms WordPress plugin before version 6.2 unserializes user-supplied input without proper sanitization or validation. This insecure deserialization occurs in an unspecified code path reachable by unauthenticated users. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and affects all versions prior to 6.2 [1].

Exploitation

An anonymous attacker can send a crafted serialized payload to the plugin, which is then unserialized by the vulnerable code. The attacker does not need authentication or special privileges. Successful exploitation requires the presence of a suitable PHP gadget chain (a class with magic methods like __destruct or __wakeup) either in the WordPress core, the plugin itself, or another installed plugin or theme [1]. The researcher Nguyen Huu Do discovered and reported the issue [1].

Impact

If a viable gadget chain exists in the application environment, the attacker can achieve PHP Object Injection, which can lead to arbitrary code execution, file read/write, database manipulation, or complete site compromise depending on the available gadgets. The CVSS score is 8.1 (High) [1].

Mitigation

The vulnerability is fixed in version 6.2 of the Formidable Forms plugin, released on or before the public disclosure date of April 6, 2023 [1]. Users should update to version 6.2 or later immediately. No workarounds are documented in the available references. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.