Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default …

The Formie plugin for Craft CMS contains a critical vulnerability where unauthenticated users can inject malicious Twig code through hidden form fields with custom default values. This server-side template injection vulnerability affects versions prior to 2.2.20 and 3.1.24 and can lead to complete compromise of the Craft CMS site. The vulnerability occurs during form submission handling when crafted values in hidden fields are evaluated as Twig templates. The impact depends on the specific template and sandbox configuration but can result in serious security compromise. Patches are available in versions 2.2.20 and 3.1.24.