Stored Cross-Site Scripting Vulnerability in Contact Form Plugin
CVE-2024-9528

4.8MEDIUM

Key Information:

Vendor: Wordpress
Status: Contact Form Plugin By Fluent Forms For Quiz, Survey, And Drag & Drop WP Form Builder
Vendor: CVE Published:; 5 October 2024

What is CVE-2024-9528?

The Fluent Forms plugin for WordPress is susceptible to Stored Cross-Site Scripting vulnerabilities due to inadequate input sanitization and output escaping. This vulnerability affects all versions up to and including 5.1.19. Authenticated attackers, typically those with administrative access capable of editing forms, can exploit this weakness by injecting arbitrary web scripts into form label fields. These scripts execute in the context of user sessions when the compromised pages are accessed, posing a significant risk to user data and overall site security.

Affected Version(s)

Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder * <= 5.1.19

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/fluentform/tag...

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 5, 2024
Vulnerability Reserved
Oct 4, 2024

Credit

Ivan Kuzymchak