Fluent Forms Quiz, Survey, and Drag & Drop WP Form Builder Plugin Vulnerable to PHP Object Injection
CVE-2024-4157

7.5HIGH

Key Information:

Vendor: Wordpress
Status: Contact Form Plugin By Fluent Forms For Quiz, Survey, And Drag & Drop WP Form Builder
Vendor: CVE Published:; 22 May 2024

Summary

The Contact Form Plugin by Fluent Forms for WordPress is susceptible to a PHP Object Injection vulnerability due to deserialization of untrusted input in the extractDynamicValues function. This flaw impacts all versions up to 5.1.15 and enables authenticated attackers with contributor-level access or higher to inject PHP objects. If a vulnerable POP chain exists through an additional plugin or theme on the target site, the attacker could potentially delete arbitrary files, access sensitive data, or execute malicious code. Securing permissions for 'View Form' and 'Manage Form' by an administrator is a requirement; however, this restriction can be circumvented when combined with CVE-2024-2771.

Affected Version(s)

Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder * <= 5.1.15

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3081740/flue...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 22, 2024
Vulnerability Reserved
Apr 24, 2024

Credit

Tobias Weißhaar