CVE-2024-6725
Formidable Forms <= 6.11.1 - Authenticated (Subscriber+) Stored Cross-Site ScriptingThe Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘html’ parameter in all versions up to, and including, 6.11.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with form editing permissions and Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 25,400 live websites that are affected by CVE-2024-6725.
Affected Software
| Product |  Formidable Forms |
| Category | Wordpress Plugins |
| Vulnerable Domains | 25,400 live websites (39.40% of Formidable Forms install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 272 versions ( 94.12% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Jul 31, 2024
- Updated - Aug 1, 2024
Credits
- D.Sim (finder)
CWE
CVE References
CWE References
CVE-2024-6725 usage by Country
 United States | 12,027 websites |
 Germany | 2,038 websites |
 France | 1,850 websites |
 GB | 1,433 websites |
 Netherlands | 777 websites |
 Australia | 635 websites |
 Canada | 601 websites |
 Sweden | 548 websites |
 Italy | 470 websites |
 Spain | 459 websites |
CVE-2024-6725 usage by TLD
| .com | 12,354 websites |
| .org | 1,308 websites |
| .co.uk | 1,281 websites |
| .de | 899 websites |
| .nl | 820 websites |
| .com.au | 812 websites |
| .fr | 791 websites |
| .ca | 674 websites |
| .net | 488 websites |
| .se | 431 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-6725
Top websites that are affected by CVE-2024-6725. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.com | United States | *,*** | |
| ************.**.**.uk | GB | **,*** | |
| ********.**.**.uk | GB | **,*** | |
| **************.com | United States | **,*** | |
| ********.ru |  Russia | **,*** | |
| *******************.org | United States | **,*** | |
| **************.org | United States | **,*** | |
| ****.**.uk | United States | **,*** | |
| *******.com | France | **,*** | |
| ***************.com | United States | **,*** |
FAQ
CVE-2024-6725 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Formidable Forms
A total of 25,400 websites have been identified as vulnerable to CVE-2024-6725, discovered through global website indexing conducted by WebTechSurvey.
Formidable Forms is susceptible to CVE-2024-6725 vulnerability.
Formidable Forms versions before, and including, 6.11.1 are vulnerable to CVE-2024-6725.