CVE-2024-0660: 
WordPress vulnerability analysis and mitigation

The Formidable Forms WordPress plugin (versions up to and including 6.7.2) was identified with a Cross-Site Request Forgery (CSRF) vulnerability, tracked as CVE-2024-0660. The vulnerability was discovered in early 2024 and affects the plugin's form settings functionality (Wordfence Advisory).

The vulnerability stems from missing or incorrect nonce validation in the update_settings function. This security flaw has been assigned a CVSS v3.1 base score of 6.1 (Medium) by Wordfence and 4.3 (Medium) by NIST, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability allows unauthenticated attackers to modify form settings and inject malicious JavaScript through forged requests. The impact is contingent upon successfully tricking a site administrator into performing specific actions, such as clicking on a malicious link (WPScan).

The vulnerability has been patched in version 6.8 of the Formidable Forms plugin. Site administrators are strongly advised to update to this version or later to protect against potential CSRF attacks (WPScan).