CVE ID – CVE-2019-15780
CVSS SCORE – 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
AFFECTED VENDORS – Strategy11
AFFECTED PRODUCTS – Formidable Worpress Plugin
VULNERABILITY DETAILS – The Formidable plugin (version 4.01.02 and below) was found to be vulnerable to a PHP Object Injection attack. Due to the application de-serialising untrusted user input, it was possible to insert a malicious payload which allowed an unauthenticated attacker to execute commands on the underlying server.
ADDITIONAL DETAILS – The vendor has released an update to patch this vulnerability. Information can be found here: https://wordpress.org/plugins/formidable/#developers
DISCLOSURE TIMELINE:
05/08/2019 Disclosure to vendor
06/08/2019 vendor acknowledged vulnerability
09/08/2019 Fix released
CREDIT – Sam Thomas, Nour Alomary