Unauthorized Modification of Data Vulnerability in Fluent Forms Plugin
CVE-2024-2782

7.5HIGH

Key Information:

Vendor: Techjewel
Status: Contact Form Plugin By Fluent Forms For Quiz, Survey, And Drag & Drop WP Form Builder
Vendor: CVE Published:; 18 May 2024

Summary

The Contact Form Plugin by Fluent Forms for WordPress contains a significant vulnerability that permits unauthorized alteration of settings. This issue arises from a lack of capability checks on the /wp-json/fluentform/v1/global-settings REST API endpoint, impacting all versions up to and including 5.1.16. As a result, unauthenticated attackers can modify critical settings of the plugin, posing potential risks to website functionality and security. Website owners utilizing the Fluent Forms Plugin should prioritize immediate updates to mitigate this vulnerability.

Affected Version(s)

Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder * <= 5.1.16

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3088078/flue...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 18, 2024
Vulnerability Reserved
Mar 21, 2024

Collectors

NVD DatabaseMitre Database

Credit

Tobias Weißhaar