{"id":2727,"date":"2024-01-26T16:15:44","date_gmt":"2024-01-26T16:15:44","guid":{"rendered":"http:\/\/127.0.0.1\/formidable-forms-6-7-2-cross-site-request-forgery-to-stored-cross-site-scripting\/"},"modified":"2024-01-26T16:15:44","modified_gmt":"2024-01-26T16:15:44","slug":"formidable-forms-6-7-2-cross-site-request-forgery-to-stored-cross-site-scripting","status":"publish","type":"post","link":"http:\/\/127.0.0.1\/formidable-forms-6-7-2-cross-site-request-forgery-to-stored-cross-site-scripting\/","title":{"rendered":"Formidable Forms <= 6.7.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting"},"content":{"rendered":"
El complemento Formidable Forms \u2013 Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder para WordPress es vulnerable a Cross-Site Request Forgery (CSRF) en todas las versiones hasta, e incluyendo, la 6.7.2. Esto se debe a la falta de validaci\u00f3n de nonce en la funci\u00f3n update_settings. Esto permite a atacantes sin autenticar cambiar la configuraci\u00f3n del formulario y agregar JavaScript malicioso mediante una petici\u00f3n falsificada, siempre y cuando puedan enga\u00f1ar a un administrador del sitio para realizar una acci\u00f3n, como hacer clic en un enlace.<\/div>\n

<\/p>\n

El complemento Formidable Forms para WordPress es una herramienta popular que permite a los usuarios crear formularios personalizados, encuestas, pruebas y m\u00e1s. Sin embargo, la versi\u00f3n 6.7.2 y anteriores son vulnerables a un ataque CSRF que puede conducir a Cross-Site Scripting (XSS) almacenado. Esto significa que un atacante puede cambiar la configuraci\u00f3n del formulario y agregar c\u00f3digo JavaScript malicioso que se ejecutar\u00e1 en el navegador de los visitantes del sitio web. Para subsanar este problema, los usuarios pueden seguir estas recomendaciones de seguridad:<\/p>\n

1. Actualizar a la \u00faltima versi\u00f3n: Los desarrolladores de Formidable Forms han lanzado una actualizaci\u00f3n (versi\u00f3n 6.7.3) que soluciona esta vulnerabilidad. Se recomienda a los usuarios que actualicen su complemento a la \u00faltima versi\u00f3n disponible para garantizar la seguridad de su sitio web.
\n2. Limitar el acceso a administradores: Solo se debe permitir el acceso al \u00e1rea de administraci\u00f3n a aquellos usuarios confiables y autorizados. Esto reducir\u00e1 las posibilidades de que un atacante sin autenticar pueda llevar a cabo un ataque CSRF con \u00e9xito.
\n3. Estar atento a enlaces sospechosos: Los administradores del sitio deben ser cautelosos al hacer clic en enlaces de origen desconocido o sospechoso. Esto ayudar\u00e1 a evitar que sean enga\u00f1ados para realizar acciones no deseadas, como cambiar la configuraci\u00f3n del formulario.
\n4. Monitorear y revisar los registros: Los administradores deben estar atentos a cualquier actividad inusual en los registros del sitio web. Los ataques CSRF pueden dejar rastros en los registros del servidor, lo que puede ayudar a detectar y mitigar r\u00e1pidamente cualquier intento de explotar esta vulnerabilidad.<\/p><\/div>\n

El uso de Formidable Forms para crear formularios personalizados puede ser una excelente adici\u00f3n a un sitio web de WordPress. Sin embargo, es crucial mantener el complemento y todas las dem\u00e1s partes del sitio actualizadas regularmente para protegerse contra vulnerabilidades conocidas. Al seguir las recomendaciones de seguridad mencionadas anteriormente, los usuarios pueden mitigar el riesgo de un ataque CSRF y proteger la integridad de su sitio web y la informaci\u00f3n de los visitantes.<\/div>\n","protected":false},"excerpt":{"rendered":"

El complemento Formidable Forms \u2013 Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder para WordPress es vulnerable a Cross-Site Request Forgery (CSRF) en todas las versiones hasta, e incluyendo, la 6.7.2. Esto se debe a la falta de validaci\u00f3n de nonce en la funci\u00f3n update_settings. Esto permite a atacantes sin autenticar cambiar […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[443],"class_list":["post-2727","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-cve-2024-0660"],"yoast_head":"\nFormidable Forms <= 6.7.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting - SeguridadWordPress.es<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/127.0.0.1\/formidable-forms-6-7-2-cross-site-request-forgery-to-stored-cross-site-scripting\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Formidable Forms <= 6.7.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting - SeguridadWordPress.es\" \/>\n<meta property=\"og:description\" content=\"El complemento Formidable Forms \u2013 Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder para WordPress es vulnerable a Cross-Site Request Forgery (CSRF) en todas las versiones hasta, e incluyendo, la 6.7.2. Esto se debe a la falta de validaci\u00f3n de nonce en la funci\u00f3n update_settings. Esto permite a atacantes sin autenticar cambiar […]\" \/>\n<meta property=\"og:url\" content=\"http:\/\/127.0.0.1\/formidable-forms-6-7-2-cross-site-request-forgery-to-stored-cross-site-scripting\/\" \/>\n<meta property=\"og:site_name\" content=\"SeguridadWordPress.es\" \/>\n<meta property=\"article:published_time\" content=\"2024-01-26T16:15:44+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"http:\/\/127.0.0.1\/formidable-forms-6-7-2-cross-site-request-forgery-to-stored-cross-site-scripting\/\",\"url\":\"http:\/\/127.0.0.1\/formidable-forms-6-7-2-cross-site-request-forgery-to-stored-cross-site-scripting\/\",\"name\":\"Formidable Forms <= 6.7.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting - SeguridadWordPress.es\",\"isPartOf\":{\"@id\":\"http:\/\/127.0.0.1\/#website\"},\"datePublished\":\"2024-01-26T16:15:44+00:00\",\"dateModified\":\"2024-01-26T16:15:44+00:00\",\"author\":{\"@id\":\"\"},\"breadcrumb\":{\"@id\":\"http:\/\/127.0.0.1\/formidable-forms-6-7-2-cross-site-request-forgery-to-stored-cross-site-scripting\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/127.0.0.1\/formidable-forms-6-7-2-cross-site-request-forgery-to-stored-cross-site-scripting\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/127.0.0.1\/formidable-forms-6-7-2-cross-site-request-forgery-to-stored-cross-site-scripting\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"http:\/\/127.0.0.1\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Formidable Forms <= 6.7.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/127.0.0.1\/#website\",\"url\":\"http:\/\/127.0.0.1\/\",\"name\":\"SeguridadWordPress.es\",\"description\":\"Recopilaci\u00f3n de vulnerabilidades WordPress.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/127.0.0.1\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Formidable Forms <= 6.7.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting - SeguridadWordPress.es","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/127.0.0.1\/formidable-forms-6-7-2-cross-site-request-forgery-to-stored-cross-site-scripting\/","og_locale":"en_US","og_type":"article","og_title":"Formidable Forms <= 6.7.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting - SeguridadWordPress.es","og_description":"El complemento Formidable Forms \u2013 Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder para WordPress es vulnerable a Cross-Site Request Forgery (CSRF) en todas las versiones hasta, e incluyendo, la 6.7.2. Esto se debe a la falta de validaci\u00f3n de nonce en la funci\u00f3n update_settings. Esto permite a atacantes sin autenticar cambiar […]","og_url":"http:\/\/127.0.0.1\/formidable-forms-6-7-2-cross-site-request-forgery-to-stored-cross-site-scripting\/","og_site_name":"SeguridadWordPress.es","article_published_time":"2024-01-26T16:15:44+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"http:\/\/127.0.0.1\/formidable-forms-6-7-2-cross-site-request-forgery-to-stored-cross-site-scripting\/","url":"http:\/\/127.0.0.1\/formidable-forms-6-7-2-cross-site-request-forgery-to-stored-cross-site-scripting\/","name":"Formidable Forms <= 6.7.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting - SeguridadWordPress.es","isPartOf":{"@id":"http:\/\/127.0.0.1\/#website"},"datePublished":"2024-01-26T16:15:44+00:00","dateModified":"2024-01-26T16:15:44+00:00","author":{"@id":""},"breadcrumb":{"@id":"http:\/\/127.0.0.1\/formidable-forms-6-7-2-cross-site-request-forgery-to-stored-cross-site-scripting\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["http:\/\/127.0.0.1\/formidable-forms-6-7-2-cross-site-request-forgery-to-stored-cross-site-scripting\/"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/127.0.0.1\/formidable-forms-6-7-2-cross-site-request-forgery-to-stored-cross-site-scripting\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"http:\/\/127.0.0.1\/"},{"@type":"ListItem","position":2,"name":"Formidable Forms <= 6.7.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting"}]},{"@type":"WebSite","@id":"http:\/\/127.0.0.1\/#website","url":"http:\/\/127.0.0.1\/","name":"SeguridadWordPress.es","description":"Recopilaci\u00f3n de vulnerabilidades WordPress.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/127.0.0.1\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"amp_enabled":true,"_links":{"self":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/2727"}],"collection":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/comments?post=2727"}],"version-history":[{"count":0,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/2727\/revisions"}],"wp:attachment":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/media?parent=2727"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/categories?post=2727"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/tags?post=2727"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}