Stored Cross-Site Scripting Vulnerability in Contact Form Plugin
CVE-2024-9528

4.9MEDIUM

Key Information:

Vendor
Wordpress
Status
Contact Form Plugin By Fluent Forms For Quiz, Survey, And Drag & Drop WP Form Builder
Vendor
CVE Published:
5 October 2024

Summary

The Fluent Forms plugin for WordPress is susceptible to Stored Cross-Site Scripting vulnerabilities due to inadequate input sanitization and output escaping. This vulnerability affects all versions up to and including 5.1.19. Authenticated attackers, typically those with administrative access capable of editing forms, can exploit this weakness by injecting arbitrary web scripts into form label fields. These scripts execute in the context of user sessions when the compromised pages are accessed, posing a significant risk to user data and overall site security.

Affected Version(s)

Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder * <= 5.1.19

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/fluentform/tag...
https://plugins.trac.wordpress.org/browser/fluentform/tag...

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ivan Kuzymchak
.