CVE-2024-0660 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WordPress plugin 'Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder' developed by strategy11team. The vulnerability exists in all versions up to and including 6.7.2 due to missing or incorrect nonce validation in the update_settings function. Nonces in WordPress are security tokens used to verify that requests are intentional and originate from legitimate users. The absence or improper implementation of nonce validation allows an attacker to craft a malicious request that, when executed by an authenticated administrator (typically by clicking a link or visiting a malicious page), can change form settings. This can lead to the injection of malicious JavaScript code into forms managed by the plugin. Such injected scripts can be used for further attacks like stealing cookies, session hijacking, or redirecting users to malicious sites. The vulnerability does not require the attacker to be authenticated but does require social engineering to trick an administrator into performing the action. There are no known exploits in the wild at the time of publication, and no official patches have been released yet. The vulnerability falls under CWE-352, which is a common web application security issue related to CSRF attacks. This plugin is widely used in WordPress environments to create complex forms, including contact forms, surveys, quizzes, payment forms, and calculators, making the attack surface significant wherever this plugin is deployed.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on WordPress websites with the Formidable Forms plugin for customer interaction, data collection, or payment processing. Successful exploitation could lead to unauthorized changes in form configurations, enabling attackers to inject malicious JavaScript. This could compromise the confidentiality of user data submitted through the forms, degrade the integrity of the website by altering form behavior, and potentially affect availability if malicious scripts disrupt normal operations. Organizations handling sensitive customer data or financial transactions are at higher risk. Additionally, injected scripts could facilitate phishing, session hijacking, or malware distribution, damaging brand reputation and leading to regulatory compliance issues under GDPR. The requirement for administrator interaction (clicking a link) means that internal security awareness and training are critical factors in risk mitigation. Since the plugin is popular among small to medium enterprises and larger organizations alike, the scope of affected systems in Europe is broad, potentially impacting sectors such as e-commerce, education, healthcare, and government services that use WordPress-based websites.

1. Immediate mitigation should include restricting administrator access to trusted networks and devices to reduce the risk of social engineering attacks. 2. Implement strict Content Security Policies (CSP) to limit the impact of any injected JavaScript. 3. Educate administrators and site managers about the risks of clicking on unsolicited or suspicious links, especially when logged into WordPress admin panels. 4. Monitor web server and application logs for unusual POST requests to the update_settings endpoint or unexpected changes in form configurations. 5. Use Web Application Firewalls (WAFs) with custom rules to detect and block CSRF attack patterns targeting the plugin’s endpoints. 6. Until an official patch is released, consider disabling or limiting the use of the Formidable Forms plugin on critical sites or replacing it with alternative form plugins that have robust CSRF protections. 7. Regularly back up website data and configurations to enable quick restoration if an attack occurs. 8. Follow the vendor’s updates closely and apply patches immediately once available.