Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder <= 6.16.1.2 - Reflected Cross-Site Scripting via Custom HTML Form Parameter

Vulnerability

The Formidable Forms plugin for WordPress (all versions up to and including 6.16.1.2) contains a POST-Based Reflected Cross-Site Scripting (XSS) vulnerability. The bug resides in the handling of Custom HTML Form parameters; insufficient input sanitization and output escaping allow arbitrary JavaScript injection. The code path is reachable via the FrmFieldsHelper.php file [1], which processes field options including custom_html. Affected versions: all ≤6.16.1.2.

Exploitation

An unauthenticated attacker can craft a malicious POST request containing a payload in the Custom HTML Form parameter. The attacker must then trick a victim (e.g., a site administrator) into performing an action, such as clicking on a crafted link or submitting a form that includes the poisoned parameter. No special network position or authentication is required; the attack is triggered when the victim interacts with the malicious link.

Impact

Successful exploitation allows the attacker to inject arbitrary web scripts (JavaScript) into the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the page. The compromise occurs at the user's privilege level, but administrative users may expose more sensitive data.

Mitigation

A fix is included in version 6.16.2, released on 2024-11-23 [2]. Users should update immediately to 6.16.2 or later. No KEV listing is available. For users who cannot update, disallowing untrusted users from accessing Custom HTML Form fields may reduce risk, but no complete workaround is documented.