FKIE_CVE-2021-24884

Vulnerability from fkie_nvd - Published: 2021-10-25 14:15 - Updated: 2024-11-21 05:53
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like <audio>,<video>,<img>,<a> and<button>.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the "data-frmverify" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited.
References
contact@wpscan.comhttps://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdfExploit, Third Party Advisory
contact@wpscan.comhttps://github.com/Strategy11/formidable-forms/pull/335/filesPatch, Third Party Advisory
contact@wpscan.comhttps://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdfExploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/Strategy11/formidable-forms/pull/335/filesPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533Exploit, Third Party Advisory
Impacted products
Vendor Product Version
strategy11 formidable_form_builder *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:strategy11:formidable_form_builder:*:*:*:*:*:wordpress:*:*",
              "matchCriteriaId": "F5D020F6-F06B-4437-8BBF-CCF40D95AC45",
              "versionEndExcluding": "4.09.05",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like \u003caudio\u003e,\u003cvideo\u003e,\u003cimg\u003e,\u003ca\u003e and\u003cbutton\u003e.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the \"data-frmverify\" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited."
    },
    {
      "lang": "es",
      "value": "El plugin Formidable Form Builder de WordPress versiones anteriores a 4.09.05, permite inyectar determinadas etiquetas HTML como ,,,\u003ca rel=\"nofollow\"\u003e y.Esto podr\u00eda permitir a un atacante remoto no autenticado explotar una inyecci\u00f3n HTML al inyectar un enlace malicioso. La inyecci\u00f3n HTML puede enga\u00f1ar a usuarios autenticados para que sigan el enlace. Si se hace clic en el Enlace, es posible ejecutar c\u00f3digo Javascript. La vulnerabilidad es debido a un saneamiento insuficiente de la etiqueta \"data-frmverify\" para los enlaces en la p\u00e1gina de inspecci\u00f3n de entrada de los sistemas afectados. Una explotaci\u00f3n con \u00e9xito en combinaci\u00f3n con CSRF podr\u00eda permitir al atacante llevar a cabo acciones arbitrarias en un sistema afectado con los privilegios del usuario. Estas acciones incluyen el robo de la cuenta del usuario al cambiar su contrase\u00f1a o permitir a atacantes enviar su propio c\u00f3digo mediante un usuario autenticado, resultando en una ejecuci\u00f3n de c\u00f3digo remota. Si un usuario autenticado que es capaz de editar el c\u00f3digo PHP de Wordpress en cualquier tipo, hace clic en el enlace malicioso, el c\u00f3digo PHP puede ser editado\u003c/a\u003e"
    }
  ],
  "id": "CVE-2021-24884",
  "lastModified": "2024-11-21T05:53:56.980",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.6,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-10-25T14:15:10.867",
  "references": [
    {
      "source": "contact@wpscan.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdf"
    },
    {
      "source": "contact@wpscan.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Strategy11/formidable-forms/pull/335/files"
    },
    {
      "source": "contact@wpscan.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Strategy11/formidable-forms/pull/335/files"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533"
    }
  ],
  "sourceIdentifier": "contact@wpscan.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "contact@wpscan.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        },
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.