CVE-2023-2877

HIGH EXPLOITED

Formidable Forms <6.3.1 - RCE

Title source: llm

Description

The Formidable Forms WordPress plugin before 6.3.1 does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site, leading to Remote Code Execution.

Exploits (1)

nomisec WORKING POC 2 stars

by RandomRobbieBF · remote-auth

https://github.com/RandomRobbieBF/CVE-2023-2877

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/33765da5-c56e-42c1-83dd-fcaad976b402

Scores

CVSS v3 8.8

EPSS 0.6900

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

VulnCheck KEV 2023-01-10

Classification

Status published

Affected Products (1)

strategy11/formidable_forms < 6.3.1

Timeline

Published Jun 27, 2023

Tracked Since Feb 18, 2026