Fluent Forms Plugin Vulnerable to Privilege Escalation Attacks
CVE-2024-2771

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Contact Form Plugin By Fluent Forms For Quiz, Survey, And Drag & Drop WP Form Builder
Vendor: CVE Published:; 18 May 2024

Summary

The Contact Form Plugin by Fluent Forms is susceptible to a privilege escalation vulnerability stemming from a lack of appropriate capability checks in the /wp-json/fluentform/v1/managers REST API endpoint. This issue allows unauthenticated attackers to assign management permissions to any user, granting them complete access to all settings and features of the plugin. Furthermore, this vulnerability enables attackers to delete manager accounts, posing significant risks to the integrity and security of the WordPress site utilizing this plugin. Immediate attention to update to the latest version is essential to mitigate potential exploits.

Affected Version(s)

Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder * <= 5.1.16

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3088078/flue...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 18, 2024
Vulnerability Reserved
Mar 21, 2024

Credit

Tobias Weißhaar