CVE-2023-6830
Formidable Forms <= 6.7 - HTML Injection
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th
The Formidable Forms plugin for WordPress is vulnerable to HTML injection in versions up to, and including, 6.7. This vulnerability allows unauthenticated users to inject arbitrary HTML code into form fields. When the form data is viewed by an administrator in the Entries View Page, the injected HTML code is rendered, potentially leading to admin area defacement or redirection to malicious websites. CVE-2024-23522 appears to be a duplicate of this issue.
| CWE | CWE-79 |
| Vendor | strategy11team |
| Product | formidable forms – contact form plugin, survey, quiz, payment, calculator form & custom form builder |
| Published | Jan 9, 2024 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for strategy11team formidable forms – contact form plugin, survey, quiz, payment, calculator form & custom form builder
Be the first to know when new medium vulnerabilities affecting strategy11team formidable forms – contact form plugin, survey, quiz, payment, calculator form & custom form builder are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
strategy11team / Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
0 ≤ 6.7
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/ff294b0f-97fe-4d27-bf93-f5bbb57ac1f6?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3017166%40formidable%2Ftrunk&old=3009066%40formidable%2Ftrunk&sfp_email=&sfph_mail=
Credits
Pedro Paniago