CVE-2023-2877

high-risk
Published 2023-06-27

The Formidable Forms WordPress plugin before 6.3.1 does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site, leading to Remote Code Execution.

Do I need to act?

!
69.0% chance of exploitation in next 30 days
EPSS score — higher than 31% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (1)

Formidable Forms

Affected Vendors

Strategy11

References (2)

Exploit https://wpscan.com/vulnerability/33765da5-c56e-42c1-83dd-fcaad976b402
Exploit https://wpscan.com/vulnerability/33765da5-c56e-42c1-83dd-fcaad976b402
54
/ 100
high-risk
Severity 30/34 · Critical
Exploitability 19/34 · Moderate
Exposure 5/34 · Minimal