CVE-2024-9768 reveals a Stored Cross-Site Scripting (XSS) vulnerability in the Formidable Forms WordPress plugin, a leading tool for creating forms, surveys, and other interactive content on websites. Known for its advanced drag-and-drop interface and extensive customization options, Formidable Forms is widely used by WordPress sites for generating user-friendly forms. However, this vulnerability can allow malicious actors to inject JavaScript payloads that can ultimately create backdoors, compromising site security and exposing user data. This article delves into the nature of this vulnerability, how it can be exploited, and the potential impact on affected websites.
| CVE | CVE-2024-9768 |
| Plugin | Formidable Forms < 6.14.1 |
| Critical | Low |
| All Time | 18 517 783 |
| Active installations | 400 000+ |
| Publicly Published | September 16, 2024 |
| Last Updated | September 16, 2024 |
| Researcher | Artyom Krugov |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9768 https://wpscan.com/vulnerability/3c4ff11b-4a06-433d-8f0e-4069865721c0/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| September 16, 2024 | Plugin testing and vulnerability detection in the Formidable Forms have been completed |
| September 16, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 4, 2024 | Registered CVE-2024-9768 |
Discovery of the Vulnerability
During a recent security review, CVE-2024-9768 was identified within the CSS Layout Classes parameter of Formidable Forms. The issue arises due to insufficient input sanitization in this parameter, enabling attackers to insert and save arbitrary JavaScript code. This stored code will later execute when the affected form is rendered, creating an opportunity for backdoor access and other malicious activities. The vulnerability highlights a critical flaw in how Formidable Forms handles user-generated input, potentially endangering thousands of WordPress sites relying on this plugin for form creation and data collection.
Understanding of XSS attack’s
Stored XSS vulnerabilities are particularly dangerous because they embed harmful code directly into a website’s backend. Unlike other forms of XSS, which may only execute temporarily, stored XSS persists within the site’s content or settings. When an admin or visitor interacts with the infected element—like a form preview—the malicious script executes.
In WordPress, stored XSS vulnerabilities are unfortunately common in plugins that process user inputs without proper sanitization. For example, similar vulnerabilities in other form and comment plugins have allowed attackers to steal cookies, hijack user sessions, or insert defacements into site content. In some instances, attackers have used stored XSS to gain administrative control over sites, paving the way for more severe attacks.
Exploiting the XSS Vulnerability
To exploit CVE-2024-9768, an attacker would need access to the Formidable Forms settings on a vulnerable WordPress site. The steps to execute the exploit are as follows:
- Access Formidable Forms: Go to the Formidable Forms plugin section in the WordPress admin panel.
- Create a New Form: Navigate to the My Forms tab and select Add New. Choose Create a blank form to start a new form template.
- Enter Payload in CSS Layout Classes: In the form editor, find the CSS Layout Classes field and input a JavaScript payload. A simple payload example is: 123123″onmouseover=’alert(1)’
- Save the Form: Once the payload is inserted, save the form with a descriptive name.
- Preview the Form: View the form in preview mode by accessing the following URL format: http://host.com/wp-admin/admin-ajax.php?action=frm_forms_preview&form={name_forms}
____
The malicious JavaScript will execute upon preview, providing a proof of concept for how an attacker could inject and persist harmful code within a WordPress site.
This demonstration shows how easily an attacker could exploit this vulnerability to run malicious code, compromising site security and potentially exposing sensitive data.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-9768, both plugin developers and WordPress site administrators should take the following precautions:
- Input Validation and Sanitization: Formidable Forms developers should implement rigorous input validation for all form fields, especially those that accept custom code. Using WordPress’s built-in sanitization functions would add an additional layer of security.
- Regular Plugin Updates: WordPress administrators should monitor and install updates for Formidable Forms and other plugins regularly to ensure any security patches are applied promptly.
- Limit Access Permissions: Restrict access to form creation and management features, ensuring that only trusted users with proper permissions can interact with these settings.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-9768, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #Vulnerability
Use CleanTalk solutions to improve the security of your website
Artyom k.
