Stored Cross-Site Scripting in Contact Form Plugin by Fluent Forms for WordPress
CVE-2024-0618

4.8MEDIUM

Key Information:

Vendor: Wordpress
Status: Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms
Vendor: CVE Published:; 27 January 2024

Summary

The Fastest Contact Form Builder Plugin for WordPress by Fluent Forms is exposed to Stored Cross-Site Scripting vulnerabilities through improperly sanitized form titles. This vulnerability affects all versions up to and including 5.1.5, allowing authenticated attackers with administrator access to inject malicious scripts. The exploited scripts can execute when users access compromised pages, primarily impacting multi-site setups or instances where unfiltered HTML is disabled.

Affected Version(s)

Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms * <= 5.1.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3022938/flue...

https://advisory.abay.sh/cve-2024-0618/

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 27, 2024
Vulnerability Reserved
Jan 16, 2024

Credit

Akbar Kustirama