CVE-2017-20194 Scanner

The Formidable Form Builder plugin is a widely used WordPress plugin designed to help users build comprehensive forms for a range of applications, from contact forms to sophisticated surveys. Developed by Strategy11, this plugin enables individuals and businesses to customize their form-building experience significantly. Many organizations, bloggers, and small businesses use Formidable Form Builder to capture data from their website visitors effectively. It's particularly popular due to its ease of use, flexibility, and the vast array of tools available to non-technical users. With wide usage across diverse WordPress setups, it plays an essential role in data collection for many sites, making its security crucial.

The vulnerability found in the Formidable Form Builder plugin allows Information Disclosure via the frm_forms_preview AJAX action. This vulnerability affects all versions up to and including 2.05.03. Unauthenticated attackers can exploit this by exporting all form entries from a targeted form, breaching data privacy. This exposure of sensitive data can lead to unauthorized access to potentially private information submitted through the affected forms. Ensuring the security of information that passes through the Formidable Form Builder is therefore critical.

Technically, the vulnerability is due to the plugin's improper handling of AJAX requests, specifically through the frm_forms_preview action, which doesn't require authentication. Attackers can send requests to the vulnerable endpoint and retrieve form data without needing valid user credentials. The vulnerable parameter lies within the AJAX function call, where exploiting this issue requires crafting a specific request to export form entries. Such unsecured access points allow for extraction of potentially sensitive user input data submitted through the forms.

If exploited, this vulnerability can lead to significant impacts such as data breaches or privacy violations. Unauthorized attackers accessing form entries can misuse the harvested data for malicious purposes. These might include identity theft, unauthorized disclosures, or selling of private information on the black market. The exposure may also damage the reputation of the website's owner and erode customer trust, especially if it involves sensitive personal or financial data.

REFERENCES

• https://www.wordfence.com/threat-intel/vulnerabilities/id/c7600fe1-94e4-4e3e-a9a6-ff3589813715?source=cve
• https://wordpress.org/plugins/formidable/
• https://nvd.nist.gov/vuln/detail/CVE-2017-20194