CVE-2021-24884

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-24884

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-24884.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-24884

Published

2021-10-25T14:15:10.867Z

Modified

2026-03-13T01:52:20.560259Z

Severity

9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like <audio>,<video>,<img>,<a> and<button>.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the "data-frmverify" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited.

References

Affected packages

Git / github.com/Strategy11/formidable-forms

Affected ranges

Type

GIT

Repo

https://github.com/Strategy11/formidable-forms

Events

Introduced

Fixed

f2b13f4f1d64c5cfd0a3c92cb97cf0085483759c

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.09.05"
        }
    ]
}

Affected versions

2.*

2.0.09b2

2.0.09b3

2.0.11b2

2.02.02b1

2.02.03b1

2.02.04

2.02.06b2

2.03.04

3.*

3.0rc1

v.*

v.2.01.03

v.2.03.08b2

v1.*

v1.07.11

v2.*

v2.0

v2.0.01

v2.0.02

v2.0.03

v2.0.04

v2.0.05

v2.0.06

v2.0.07

v2.0.08

v2.0.09

v2.0.09b

v2.0.10

v2.0.11

v2.0.11b

v2.0.12

v2.0.12b

v2.0.12rc

v2.0.13

v2.0.13b1

v2.0.13b2

v2.0.13rc

v2.0.14

v2.0.14b1

v2.0.14b2

v2.0.14b3

v2.0.14b4

v2.0.15

v2.0.15b1

v2.0.16

v2.0.16b1

v2.0.16b2

v2.0.16b3

v2.0.16b4

v2.0.17

v2.0.18

v2.0.19

v2.0.19b1

v2.0.19b2

v2.0.19b3

v2.0.19b4

v2.0.20

v2.0.21

v2.0.21.1

v2.0.22

v2.0.22b1

v2.0.23

v2.0.23b1

v2.0.23b2

v2.0.23b3

v2.0.24

v2.0.24b1

v2.0.25

v2.0.25b1

v2.0.26b1

v2.0.26b2

v2.0.26b3

v2.01.0

v2.01.01

v2.01.01b

v2.01.01b2

v2.01.02

v2.01.02b

v2.01.02b2

v2.01.0a1

v2.01.0b

v2.01.0b1

v2.01.0b2

v2.01.0b3

v2.01.0b4

v2.01.0rc1

v2.01.0rc2

v2.01.0rc3

v2.02

v2.02.01

v2.02.02

v2.02.03

v2.02.04b

v2.02.05

v2.02.05b1

v2.02.05b2

v2.02.06

v2.02.06b1

v2.02.07

v2.02.07b1

v2.02.08

v2.02.09

v2.02.10

v2.02.11

v2.02.12

v2.02.12b1

v2.02.13

v2.02.13b1

v2.02.13b2

v2.02.14b1

v2.02b

v2.02b2

v2.02b3

v2.02b4

v2.03

v2.03.01

v2.03.01b1

v2.03.02

v2.03.02b

v2.03.03

v2.03.04b

v2.03.05

v2.03.05b1

v2.03.06

v2.03.06b1

v2.03.07

v2.03.07b1

v2.03.07b2

v2.03.07b3

v2.03.08

v2.03.08b1

v2.03.09

v2.03.10

v2.03.10b1

v2.03.10b2

v2.03.11

v2.03.11a1

v2.03.11b1

v2.03a1

v2.03b1

v2.03b2

v2.03b3

v2.03rc1

v2.04

v2.04.01

v2.04.02b1

v2.05

v2.05.01

v2.05.02

v2.05.02b1

v2.05.03

v2.05.04

v2.05.05

v2.05.06

v2.05.07

v2.05.08

v2.05.09

v2.05b1

v2.0rc10

v2.0rc3

v2.0rc4

v2.0rc5

v2.0rc6

v2.0rc7

v2.0rc8

v2.0rc9

v2.1.0a1

v3.*

v3.0

v3.0.01

v3.0.02

v3.0.03

v3.0.04

v3.0.05

v3.0.06

v3.01

v3.01.01

v3.01.02

v3.01.03

v3.02

v3.02.01

v3.02.02

v3.03

v3.03.01

v3.03.02

v3.03.03

v3.04

v3.04.01

v3.04.02

v3.04.03

v3.04.03b

v3.05

v3.06

v3.06.01

v3.06.02

v3.06.03

v3.06.04

v3.06.04b

v3.06.05

v3.06.06

v3.06b

v3.0a1

v3.0b1

v3.0b2

v3.0b3

v3.0rc1

v3.0rc2

v3.0rc3

v3.0rc4

v4.*

v4.0

v4.0.01

v4.0.01b

v4.0.02

v4.0.02b

v4.0.03

v4.0.04

v4.01

v4.01.01

v4.01.02

v4.02

v4.02.01

v4.02.02

v4.02.03

v4.02.04

v4.03

v4.03.01

v4.03.02

v4.03.03

v4.03.04

v4.03.05

v4.03.06

v4.03.07

v4.03b

v4.04

v4.04.01

v4.04.02

v4.04.03

v4.04.04

v4.04.04b

v4.04.05

v4.04b

v4.05

v4.05.01

v4.05.02

v4.05b

v4.05b2

v4.05b3

v4.06

v4.06.01

v4.06.02

v4.06.03

v4.06b

v4.07

v4.07.01

v4.07.01b

v4.08

v4.08b

v4.08b3

v4.08b4

v4.09

v4.09.01

v4.09.02

v4.09.03

v4.09.04

v4.0a

v4.0a2

v4.0a3

v4.0a4

v4.0a5

v4.0a6

v4.0b1

v4.0b2

v4.0b3

v4.0b4

v4.0b5

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-24884.json"