CVE-2023-1405

HIGH

Formidable Forms <6.2 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-1405. PoCs published by RandomRobbieBF.

AI-analyzed exploit summary This PoC demonstrates an unauthenticated PHP Object Injection vulnerability in Formidable Forms <= 6.1.2 via deserialization of untrusted input from form submissions. The exploit includes a sample payload and an alternative payload for WordPress 6.4.0, showcasing the injection technique.

Description

The Formidable Forms WordPress plugin before 6.2 unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present.

Exploits (1)

nomisec WORKING POC 1 stars
by RandomRobbieBF · poc
https://github.com/RandomRobbieBF/CVE-2023-1405

This PoC demonstrates an unauthenticated PHP Object Injection vulnerability in Formidable Forms <= 6.1.2 via deserialization of untrusted input from form submissions. The exploit includes a sample payload and an alternative payload for WordPress 6.4.0, showcasing the injection technique.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Formidable Forms plugin for WordPress <= 6.1.2
No auth needed
Prerequisites: Formidable Forms plugin installed and activated · Additional plugin or theme with a POP chain for exploitation
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/8c727a31-ff65-4472-8191-b1becc08192a/

Scores

CVSS v3 7.5
EPSS 0.0070
EPSS Percentile 48.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-502
Status published
Products (1)
strategy11/formidable_forms < 6.2
Published Jan 16, 2024
Tracked Since Feb 18, 2026