8.8
CVE-2023-2877
- EPSS 22.27%
- Veröffentlicht 27.06.2023 14:15:11
- Zuletzt bearbeitet 21.11.2024 07:59:28
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginFormidable Forms < 6.3.1 - Subscriber+ Remote Code Execution
Formidable Forms <= 6.3 - Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation
The Formidable Forms WordPress plugin before 6.3.1 does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site, leading to Remote Code Execution.
Mögliche Gegenmaßnahme
Formidable Forms – WordPress Form Builder for Contact Forms, Calculators, Quizzes & More: Update to version 6.3.1, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Strategy11 ≫ Formidable Forms SwPlatformwordpress Version < 6.3.1
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Formidable Forms – WordPress Form Builder for Contact Forms, Calculators, Quizzes & More
Version
[*, 6.3.1)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 22.27% | 0.974 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
https://wpscan.com/vulnerability/33765da5-c56e-42c1-83dd-fcaad976b402
https://www.wordfence.com/threat-intel/vulnerabilities/id/d9f060bd-029a-462e-b308-8366e82be383