CVE-2024-0618
published 2024-01-27CVE-2024-0618: The Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting…
PriorityP418medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.54%
41.3th percentile
The Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via imported form titles in all versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fluentforms | contact_form | <= 5.1.5 | — |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
cisa8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Fluent Forms Plugin up to 5.1.5 on WordPress Form Title Import cross site scripting (ID 3022938)
vuldb·2026-04-11·CVSS 4.4
CVE-2024-0618 [MEDIUM] Fluent Forms Plugin up to 5.1.5 on WordPress Form Title Import cross site scripting (ID 3022938)
A vulnerability was found in Fluent Forms Plugin up to 5.1.5 on WordPress. It has been classified as problematic. Affected by this vulnerability is an unknown functionality of the component Form Title Import Handler. This manipulation causes cross site scripting.
This vulnerability is registered as CVE-2024-0618. Remote exploitation of the attack is possible. No exploit is available.
GHSA
GHSA-3qxr-cm3w-hpmq: The Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Sc
ghsa_unreviewed·2024-01-27
CVE-2024-0618 [MEDIUM] CWE-79 GHSA-3qxr-cm3w-hpmq: The Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Sc
The Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via imported form titles in all versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CISA
Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability
cisa·2024-09-18·CVSS 8.8
CVE-2020-0618 [HIGH] CWE-502 Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability
Vulnerability: Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability
Affected: Microsoft SQL Server
Microsoft SQL Server Reporting Services contains a deserialization vulnerability when handling page requests incorrectly. An authenticated attacker can exploit this vulnerability to execute code in the context of the Report Server service account.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2020-0618 ; https://nvd.nist.gov/vuln/detail/CVE-2020-0618
Remediation Due Date: 2024-10-09
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://advisory.abay.sh/cve-2024-0618/https://plugins.trac.wordpress.org/changeset/3022938/fluentform/tags/5.1.7/app/Helpers/Helper.php?old=3000676&old_path=fluentform%2Ftags%2F5.1.5%2Fapp%2FHelpers%2FHelper.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/0348d465-f351-4c52-b293-8b3b058292b9?source=cvehttps://advisory.abay.sh/cve-2024-0618/https://plugins.trac.wordpress.org/changeset/3022938/fluentform/tags/5.1.7/app/Helpers/Helper.php?old=3000676&old_path=fluentform%2Ftags%2F5.1.5%2Fapp%2FHelpers%2FHelper.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/0348d465-f351-4c52-b293-8b3b058292b9?source=cve
2024-01-27
Published