CVE-2024-0660 in Formidable Forms Plugin
Summary
by MITRE • 02/06/2024
The Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.7.2. This is due to missing or incorrect nonce validation on the update_settings function. This makes it possible for unauthenticated attackers to change form settings and add malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/12/2026
The vulnerability identified as CVE-2024-0660 affects the Formidable Forms plugin for WordPress, a widely used tool for creating various types of forms including contact forms, surveys, quizzes, payment forms, and custom form builders. This particular weakness resides within the plugin's update_settings function which fails to properly validate nonces, creating a critical cross-site request forgery vulnerability that impacts all versions up to and including 6.7.2. The issue stems from the absence of proper authentication checks that would normally prevent unauthorized modifications to form configurations.
The technical flaw manifests when an attacker crafts a malicious request that exploits the missing nonce validation mechanism within the plugin's administrative interface. Without proper nonce verification, an attacker can manipulate form settings through forged requests that appear legitimate to the WordPress system. This vulnerability specifically targets the update_settings function which handles administrative modifications to form configurations, allowing attackers to potentially inject malicious JavaScript code or alter form behavior in ways that could compromise site security and data integrity.
The operational impact of this vulnerability is significant as it enables unauthenticated attackers to perform administrative actions on vulnerable WordPress sites. An attacker only needs to trick a site administrator into clicking on a malicious link or visiting a compromised webpage to execute the CSRF attack successfully. This makes the vulnerability particularly dangerous because it leverages social engineering techniques rather than requiring direct system access or advanced exploitation methods. The consequences could include unauthorized form modifications, data exfiltration, injection of malicious code, and potential complete compromise of the affected WordPress installation.
The vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in software applications. This classification emphasizes the fundamental flaw in the plugin's security model where proper validation mechanisms are absent or improperly implemented. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and persistence through web application exploitation, potentially enabling attackers to establish long-term access to compromised systems. Organizations using the Formidable Forms plugin should immediately update to the latest version to address this vulnerability, implement additional security measures such as two-factor authentication for administrative accounts, and monitor for suspicious administrative activities that might indicate exploitation attempts.
The security implications extend beyond simple configuration changes as malicious JavaScript injection could lead to more severe consequences including user data theft, site defacement, or serving as a foothold for further attacks within the network. This vulnerability demonstrates the critical importance of proper input validation and authentication mechanisms in web applications, particularly those handling administrative functions. The lack of nonce validation represents a fundamental security failure that could allow attackers to bypass normal access controls and assume administrative privileges within the WordPress environment.