CRITICAL🇵🇱 Wersja polska

CVE-2024-2771

CVSS 9.8v3.1pub. 2024-05-18upd. 2026-04-08

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's settings and features. This also makes it possible for unauthenticated attackers to delete manager accounts.

🤖 AI Analysis
How it works

The vulnerability results from missing permission verification (missing capability check) on the REST API endpoint /wp-json/fluentform/v1/managers in all plugin versions up to and including 5.1.16. An attacker without any authorization can send a request to this endpoint and grant a selected user Fluent Forms management permissions, thereby obtaining access to all plugin settings and features. The same mechanism also allows deletion of existing plugin manager accounts.

Impact

An unauthenticated attacker can take full control over the Fluent Forms plugin configuration by granting unauthorized administrative permissions or removing manager accounts, which may lead to violations of system integrity and availability.

Mitigation & patch

The plugin should be updated to a version higher than 5.1.16. A patch is available in the WordPress repository under changeset 3088078. Immediate update is recommended along with verification of Fluent Forms manager accounts for unauthorized changes.

Who is affected

Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder for WordPress — all versions up to and including 5.1.16.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Fluentforms Contact Form

    APP
    Fluentforms
    < 5.1.17
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassLPE
CWE
References

Related vulnerabilities

CVE-2022-3463CRITICAL9.8ten sam produkt

The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when exporting form...

CVE-2024-10646HIGH7.2ten sam produkt

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress...

CVE-2024-4157HIGH7.5ten sam produkt

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress...

CVE-2024-2782HIGH7.5ten sam produkt

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress...

CVE-2021-34620HIGH8.8ten sam produkt

The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to store...