Vulnerabilities in Formidable Forms, Duplicator and Yoast SEO Plugins

Vulnerabilities have been reported in the Formidable Forms, Duplicator and Yoast SEO WordPress plugins. The Premium version of Wordfence protects against all of these vulnerabilities, even if you have not updated your plugins yet. We do recommend that you update immediately, whether or not you are using the Premium version of Wordfence.

The details of the vulnerabilities are as follows:

Formidable Forms 2.05.02 and older has multiple severe vulnerabilities

Jouko Pynnönen disclosed multiple vulnerabilities in Formidable Forms version 2.05.02 and older. The report included multiple serious problems:

  • A preview function allowed unauthenticated users to execute an arbitrary shortcode. Normally, the use of shortcodes is restricted to site authors or administrators, as many of them could be used to exploit a site.
  • One of the plugin’s shortcodes included a SQL injection vulnerability.
  • Another shortcode allowed an unauthenticated user to view form responses.
  • Form previews were vulnerable to reflected cross site scripting.
  • Form input was not sufficiently sanitized to prevent stored cross site scripting, which could have been used to target administrators when they viewed form responses.

Formidable Forms is used by over 200,000 active sites according to WordPress.org. The Formidable Forms team has released multiple updates addressing these issues, starting at 2.05.02. We released a firewall rule today, protecting Wordfence Premium customers from attempts to exploit this vulnerability. Free users should upgrade to version 2.05.05 immediately.

Duplicator 1.2.28 and older vulnerable to stored XSS

WPVulnDB also reports that the Duplicator, running on over 1 million active sites, fixed a stored cross site scripting vulnerability affecting versions 1.2.28 and older. This report also included the code changes.

Duplicator version 1.2.29 fixed this issue, but their changelog does not mention a vulnerability (there is no currently entry at all for version 1.2.29). Wordfence includes built-in protection against attacks of this nature, so both Premium and free users should be safe.

Yoast SEO 5.7.1 and older vulnerable to unauthenticated XSS

Ryan Dewhurst’s WPVulnDB is reporting that Yoast SEO fixed an unauthenticated cross site scripting vulnerability that affected versions 5.7.1 and older. The code change showing the fix is linked to from the WPVulnDB report.

Wordfence also protects against this exploit (both free and Premium).

Conclusion

We encourage you to share these vulnerabilities with the larger WordPress community to help keep site owners safe from exploitation.

Did you enjoy this post? Share it!

Comments

16 Comments
  • Duplicator 1.2.30 (11/13/2017) states: Fix: XSS security patch in the installer.php file.
    There is no 1.2.29 version listed in the Duplicator changelog.

  • Thank you always for your work, guys.

    I'm surprised Yoast SEO has a vulnerability. They are an amazing plugin that I would not know what to do without (like wordfence).

    Cheers,
    Hazim

  • Hi
    I will tell you something weird, i felt something strange about Yoast SEO it was updating the plugin as soon i was updating, it is like they were trying to do something maybe to gain access to my site through plugin, this plugin also created some roles i not remember good how much access it was granting but i deleted them.
    Also the site is slow in backend because of it, thinking to find an alternative.
    Thank you for providing this info.

  • Not the first time Yoast SEO has suffered from vulnerability. Much as I like this plugin they seem very careless when issuing updates. Sometimes you get 3 in a row one day after the other. As a respected plugin one would expect them to take more care in testing updates before they release them rather than sending them out and having to update them almost immediately when a bug pops up.

    • In fairness to them, they have got a lot better at this over the last couple of years and you rarely get 2-3 releases in a couple of days anymore.
      Still as arrogant as ever though. Odd for a plugin that essentially does what all other cms's do out of the box.

  • Thank you so much for update and keep us safe from vulnerability attack

  • So glad Wordfence is keeping abreast of the latest vulnerabilities for those of us who own websites. Keep up the great work. My site uses Yoast SEO and of course Wordfence.

  • Thanks for every post like this - and keeping on top of all this with the Wordfence plugin!

  • Thank you for this!

  • Yes, I've been having odd things happening with Yoast SEO recently. 'Something' was putting a whole load of code at the bottom of posts (only visible when looking at the html) - it looked like theme instructions, but I kept deleting it and hoping it was nothing worse. Then after another update Yoast stopped working - wouldn't save keywords. The latest updates seem to have it back working properly. Let's hope it's all fixed.

    Thanks for keeping Wordfence alert to all this, Mark.

  • Yoast had an update yesterday to v5.8 and it crashed my site (others reported this too). Not sure if this update was an attempt to fix this vulnerability. In the mean time I had to reinstall v5.7. I'm glad to know that Wordfence would apparently catch this vulnerability anyway.

  • Thanks for the vulnerability mention within Yoast. Will have to notify clients and ensure we're up-to-date. Thanks for the updates!

  • This week I took down 20 Websites thanks to YOAST.

    Meanwhile, YOAST pushes the 5.8 plugin update this week with NO MENTION of their crap sandwich YoastSEO plugin security and recent YOAST hack fest!

    GOOGLE: YOAST and VIRUS and you will discover the truth about YOAST and their shoddy security over the years - i.e., in 2015, 2013...

    • Woah there. Actually Yoast and his team are reputable and generally provide solid software. Not sure what this is about or where it is coming from.

  • Thanks for the information and also plugin. It would be helpful if you describe more on how to diagnose if I have any vulnerability.

  • Hi, does anyone know if the vulnerability exists when a plugin is deactivated? I always deactivate Duplicator after using, until the next back-up. Thnx.