advisory_details

CVE-2019-15780

CVE ID – CVE-2019-15780

CVSS SCORE – 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

AFFECTED VENDORS – Strategy11

AFFECTED PRODUCTS – Formidable Worpress Plugin

VULNERABILITY DETAILS – The Formidable plugin (version 4.01.02 and below) was found to be vulnerable to a PHP Object Injection attack. Due to the application de-serialising untrusted user input, it was possible to insert a malicious payload which allowed an unauthenticated attacker to execute commands on the underlying server.

ADDITIONAL DETAILS – The vendor has released an update to patch this vulnerability. Information can be found here: https://wordpress.org/plugins/formidable/#developers

DISCLOSURE TIMELINE:
05/08/2019 Disclosure to vendor
06/08/2019 vendor acknowledged vulnerability
09/08/2019 Fix released

CREDIT – Sam Thomas, Nour Alomary