Formie Craft CMS Plugin Twig Injection Vulnerability in Hidden Fields

A server-side template injection vulnerability has been identified in the Formie Craft CMS plugin, affecting versions prior to 2.2.20 and 3.1.24. The issue arises in Hidden fields configured with a Default value set to Custom, allowing unauthenticated users to submit crafted values that are evaluated as Twig during the submission process. This could lead to a serious compromise of the Craft site, depending on the behavior of the template and sandboxing. The vulnerability is present in sites with public Formie forms that include at least one Hidden field with the vulnerable configuration.

Impact

Exploitation of this vulnerability could result in pre-authenticated server-side template injection, allowing for potential compromise of the Craft site.

Remediation

Users can upgrade to Formie versions 2.2.20 or 3.1.24, both of which include the necessary fix. Alternatively, Hidden fields can be temporarily removed from public forms or the Default value can be switched away from Custom, where feasible.