During a recent internal review of the Formidable Forms plugin, a serious security issue was detected which could potentially enable users with low privileges such as subscribers to install arbitrary plugins on vulnerable sites.
The exploitation of this vulnerability could grant malicious users the power to install any plugin available on downloads.wordpress.org, which can lead to a wide variety of attacks, including the upload of malicious content, creation of administrative users, or even a full site takeover.
WPScan reported the vulnerability to the authors of the plugin, who have responded by releasing Formidable Forms version 6.3.1 to mitigate this threat. We strongly advise that you update the affected plugin to this latest version and ensure you have robust security measures in place.
Source and more details: https://blog.wpscan.com/arbitrary-plugin-installation-vulnerability-in-formidable-forms/