Formidable Forms <= 6.11.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Vulnerability

Stored Cross-Site Scripting (XSS) exists in the Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress. The vulnerability is present in all versions up to and including 6.11.1. It occurs because the plugin fails to properly sanitize and escape the 'html' parameter when rendering fields, allowing attackers to inject arbitrary web scripts [1][2].

Exploitation

An attacker must be authenticated and have Subscriber-level access or higher, with form editing permissions enabled. The attacker can craft a field containing malicious JavaScript in the html parameter. When any user (including administrators) views or interacts with a page containing that field, the injected script executes in the browser context of the victim [1][2].

Impact

Successful exploitation results in stored cross-site scripting, allowing the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, or theft of sensitive information. The scope of compromise is limited to the WordPress site and the privileges of the victim user [1][2].

Mitigation

The vendor released version 6.11.1.1 on 2024-07-31 to address this vulnerability. Users should update to version 6.11.1.1 or later immediately. No workarounds are documented. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1][2].