CVE-2024-2771
published 2024-05-18CVE-2024-2771: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to privilege escalation due to a…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
2.33%
81.4th percentile
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's settings and features. This also makes it possible for unauthenticated attackers to delete manager accounts.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fluentforms | contact_form | < 5.1.16 | 5.1.16 |
| fluentforms | contact_form | < 5.1.17 | 5.1.17 |
| fluentforms | contact_form | < 5.1.14 | 5.1.14 |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /wp-json/fluentform/v1/managers HTTP/1.1
Content-Type: application/json
{"manager":{"email":"{{email}}","permissions":["fluentform_dashboard_access","fluentform_forms_manager","fluentform_entries_viewer","fluentform_manage_entries","fluentform_view_payments","fluentform_manage_payments","fluentform_settings_manager","fluentform_full_access"]}}↗
- →Detect unauthenticated POST requests to the Fluent Forms managers REST API endpoint; no authentication headers should be present and a JSON body containing 'permissions' array with Fluent Form capability strings is indicative of exploitation. ↗
- →Successful exploitation response contains the string 'Manager has been saved.' in a JSON body with HTTP 200; monitor for this response pattern on the /wp-json/fluentform/v1/managers endpoint. ↗
- →Fingerprint vulnerable installations by probing /wp-content/plugins/fluentform/readme.txt and checking 'Stable tag' version is less than 5.1.17. ↗
- →FOFA/Shodan-style asset discovery: search for WordPress sites with body containing '/wp-content/plugins/fluentform/' to identify potentially vulnerable targets. ↗
- →CVE-2024-2771 can be chained with CVE-2024-4157 (PHP Object Injection in extractDynamicValues): an unauthenticated attacker first escalates privileges via CVE-2024-2771, then exploits the deserialization flaw to achieve RCE/file deletion. Monitor for both attack patterns in sequence. ↗
- ·The privilege escalation exploit requires a valid, existing WordPress user email address as the target for permission grant; without a known user email the attack cannot complete. ↗
- ·The vulnerability affects all plugin versions up to and including 5.1.15 (per CVE-2024-4157 chain context) and is fixed in 5.1.17; detections should scope version checks accordingly. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h74g-q68m-46qw: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection i
ghsa_unreviewed·2024-05-22·CVSS 9.8
CVE-2024-4157 [CRITICAL] CWE-502 GHSA-h74g-q68m-46qw: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection i
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.1.15 via deserialization of untrusted input in the extractDynamicValues function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. Successful exploitation requires the attacker to have "View Form" and "Manage Form" permissions, which must be explicitly set by an administrator. However, this requirement can be bypassed when this vulnerability is chained
GHSA
GHSA-736r-j9wv-3f4j: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scri
ghsa_unreviewed·2024-05-18·CVSS 9.8
CVE-2024-2772 [CRITICAL] CWE-79 GHSA-736r-j9wv-3f4j: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scri
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in all versions up to, and including, 5.1.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to the Fluent Forms settings, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This can be chained with CVE-2024-2771 for a low-privileged user to inject malicious web scripts.
GHSA
GHSA-q774-r932-hjpq: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to privilege escalation d
ghsa_unreviewed·2024-05-18
CVE-2024-2771 [CRITICAL] CWE-862 GHSA-q774-r932-hjpq: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to privilege escalation d
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's settings and features. This also makes it possible for unauthenticated attackers to delete manager accounts.
VulnCheck
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress Authorization Bypass
vulncheck·2024·CVSS 9.8
CVE-2024-2771 [CRITICAL] Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress Authorization Bypass
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress Authorization Bypass
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's settings and features. This also makes it possible for unauthenticated attackers to delete manager accounts.
Affected: Fluent Forms Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress
Required Action: Apply remedi
No detection rules found.
Nuclei
Contact Form Plugin by Fluent Forms < 5.1.17 - Unauthenticated Limited Privilege Escalation
nuclei·CVSS 9.8
CVE-2024-2771 [CRITICAL] Contact Form Plugin by Fluent Forms < 5.1.17 - Unauthenticated Limited Privilege Escalation
Contact Form Plugin by Fluent Forms < 5.1.17 - Unauthenticated Limited Privilege Escalation
The plugin is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's settings and features. This also makes it possible for unauthenticated attackers to delete manager accounts.
Template:
id: CVE-2024-2771
info:
name: Contact Form Plugin by Fluent Forms < 5.1.17 - Unauthenticated Limited Privilege Escalation
author: Sourabh-Sahu
severity: critical
description: |
The plugin is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset/3088078/fluentform/trunk/app/Http/Policies/RoleManagerPolicy.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/071195d6-3452-4241-a8d3-92efc84e4850?source=cvehttps://plugins.trac.wordpress.org/changeset/3088078/fluentform/trunk/app/Http/Policies/RoleManagerPolicy.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/071195d6-3452-4241-a8d3-92efc84e4850?source=cve
2024-05-18
Published
Exploited in the wild