Stored Cross-Site Scripting Vulnerability in Contact Form Plugin
CVE-2024-10646

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Vendor: CVE Published:; 14 December 2024

Summary

The Contact Form Plugin by Fluent Forms for the Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is affected by a vulnerability that allows stored cross-site scripting. This issue arises from inadequate input sanitization and output escaping in the form's subject parameter. Unsanctioned attackers can exploit this vulnerability to inject arbitrary web scripts into pages, leading to the execution of these scripts whenever a user accesses an affected page. This poses a significant risk to the security and integrity of WordPress sites using this plugin.

Affected Version(s)

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder * <= 5.2.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/fluentform/tag...

https://plugins.trac.wordpress.org/changeset/3203147/flue...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 14, 2024
Vulnerability Reserved
Oct 31, 2024

Credit

Michael Mazzolini