CVE-2023-1405
Formidable Forms < 6.2 - Unauthenticated PHP Object Injection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The Formidable Forms WordPress plugin before 6.2 unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present.
El complemento de WordPress Formidable Forms anterior a 6.2 deserializa la entrada del usuario, lo que podría permitir a usuarios anónimos realizar inyección de objetos PHP cuando hay presente un dispositivo adecuado.
The Formidable Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 6.1.2 via deserialization of untrusted input from form submissions. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2023-03-14 CVE Reserved
- 2023-04-06 CVE Published
- 2024-01-24 EPSS Updated
- 2024-10-22 CVE Updated
- 2024-10-22 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/8c727a31-ff65-4472-8191-b1becc08192a | 2024-10-22 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Strategy11 Search vendor "Strategy11" | Formidable Forms Search vendor "Strategy11" for product "Formidable Forms" | < 6.2 Search vendor "Strategy11" for product "Formidable Forms" and version " < 6.2" | wordpress |
Affected
| ||||||