Description
The Formidable Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters submitted during form entries like 'after_html' in versions before 2.05.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute in a victim's browser.
Exploits (1)
nomisec
WORKING POC
by flame-11 · client-side
https://github.com/flame-11/CVE-2017-20192-formidable-forms
Nuclei Templates (1)
Formidable Forms < 2.05.02 - Cross-Site Scripting
MEDIUMVERIFIEDby 0xanis
FOFA:
body="formidable" && body="wp-content/plugins"
Scores
CVSS v3
8.3
EPSS
0.2874
EPSS Percentile
96.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Lab Environment
Details
VulnCheck KEV
2024-10-15
CWE
CWE-79
Status
published
Products (2)
strategy11/formidable_form_builder
< 2.05.03
strategy11team/Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
< 2.05.03
Published
Oct 16, 2024
Tracked Since
Feb 18, 2026