CVE-2023-2877

Name of the Vulnerable Software and Affected Versions Formidable Forms WordPress plugin versions prior to 6.3.1

Description The issue allows a user with a low role, such as Subscriber, to install and activate arbitrary plugins of any version from the WordPress.org plugin repository, leading to remote code execution. This is due to inadequate authorization and validation of the plugin URL in the add-on installation functionality.

Recommendations For versions prior to 6.3.1, update to version 6.3.1 or later to resolve the issue. As a temporary workaround, consider restricting the ability of low-role users to install plugins until the update is applied.