The vulnerability identified as CVE-2024-0660 affects the Formidable Forms plugin for WordPress, a widely used tool for creating contact forms, surveys, quizzes, payments, calculators, and custom forms. The root cause is a missing or incorrect nonce validation in the update_settings function, which is intended to protect against Cross-Site Request Forgery (CSRF) attacks. Without proper nonce checks, an attacker can craft a malicious request that, when executed by an authenticated administrator (via clicking a link or visiting a malicious page), causes unauthorized changes to form settings. This can include injecting malicious JavaScript code into forms, potentially enabling further attacks such as cross-site scripting (XSS), session hijacking, or data theft. The vulnerability affects all versions up to and including 6.7.2. The attack vector is network-based with no privileges required but does require user interaction (administrator action). The vulnerability impacts confidentiality and integrity by allowing unauthorized modifications but does not affect availability. Although no public exploits are currently known, the presence of this vulnerability in a popular WordPress plugin makes it a significant risk. The scope is limited to sites running the affected plugin versions with administrative users. The CVSS 3.1 score of 6.1 reflects medium severity, balancing ease of exploitation with the requirement for user interaction and limited scope of impact.

Organizations using the Formidable Forms plugin on WordPress sites face risks including unauthorized modification of form configurations and injection of malicious JavaScript. This can lead to compromised site integrity, defacement, or the execution of malicious scripts that steal user data or hijack sessions. Attackers could leverage this to escalate attacks, potentially targeting site visitors or administrators. The trustworthiness of affected websites may be damaged, impacting brand reputation and user confidence. While availability is not directly impacted, the indirect consequences of injected malicious code could lead to broader security incidents. Since the attack requires an administrator to be tricked into clicking a link, social engineering is a key enabler, increasing the risk in environments with less security awareness. The vulnerability could be exploited in targeted attacks against organizations relying on this plugin, especially those with high-value data or critical web presence.

To mitigate this vulnerability, organizations should immediately update the Formidable Forms plugin to a version that addresses the nonce validation issue once available. Until a patch is released, administrators should avoid clicking on suspicious links and implement web application firewalls (WAFs) with rules to detect and block CSRF attempts targeting the update_settings endpoint. Enforce strict administrator access controls and limit the number of users with administrative privileges. Employ multi-factor authentication (MFA) for all admin accounts to reduce the risk of compromised credentials. Regularly audit form configurations and monitor logs for unauthorized changes. Educate administrators about phishing and social engineering risks to prevent inadvertent execution of malicious requests. Additionally, consider implementing Content Security Policy (CSP) headers to mitigate the impact of injected JavaScript. Finally, maintain regular backups of site configurations to enable quick restoration if compromise occurs.