Fluent Forms Quiz, Survey, and Drag & Drop WP Form Builder Plugin Vulnerable to PHP Object Injection
CVE-2024-4157
What is CVE-2024-4157?
The Contact Form Plugin by Fluent Forms for WordPress is susceptible to a PHP Object Injection vulnerability due to deserialization of untrusted input in the extractDynamicValues function. This flaw impacts all versions up to 5.1.15 and enables authenticated attackers with contributor-level access or higher to inject PHP objects. If a vulnerable POP chain exists through an additional plugin or theme on the target site, the attacker could potentially delete arbitrary files, access sensitive data, or execute malicious code. Securing permissions for 'View Form' and 'Manage Form' by an administrator is a requirement; however, this restriction can be circumvented when combined with CVE-2024-2771.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder * <= 5.1.15
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved