cbcvebase.
CVE-2024-2771
published 2024-05-18

CVE-2024-2771: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to privilege escalation due to a…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
2.33%
81.4th percentile
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's settings and features. This also makes it possible for unauthenticated attackers to delete manager accounts.

Affected

3 ranges
VendorProductVersion rangeFixed in
fluentformscontact_form< 5.1.165.1.16
fluentformscontact_form< 5.1.175.1.17
fluentformscontact_form< 5.1.145.1.14

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/fluentform/v1/managers
path/wp-content/plugins/fluentform/readme.txt
commandPOST /wp-json/fluentform/v1/managers HTTP/1.1 Content-Type: application/json {"manager":{"email":"{{email}}","permissions":["fluentform_dashboard_access","fluentform_forms_manager","fluentform_entries_viewer","fluentform_manage_entries","fluentform_view_payments","fluentform_manage_payments","fluentform_settings_manager","fluentform_full_access"]}}
  • Detect unauthenticated POST requests to the Fluent Forms managers REST API endpoint; no authentication headers should be present and a JSON body containing 'permissions' array with Fluent Form capability strings is indicative of exploitation.
  • Successful exploitation response contains the string 'Manager has been saved.' in a JSON body with HTTP 200; monitor for this response pattern on the /wp-json/fluentform/v1/managers endpoint.
  • Fingerprint vulnerable installations by probing /wp-content/plugins/fluentform/readme.txt and checking 'Stable tag' version is less than 5.1.17.
  • FOFA/Shodan-style asset discovery: search for WordPress sites with body containing '/wp-content/plugins/fluentform/' to identify potentially vulnerable targets.
  • CVE-2024-2771 can be chained with CVE-2024-4157 (PHP Object Injection in extractDynamicValues): an unauthenticated attacker first escalates privileges via CVE-2024-2771, then exploits the deserialization flaw to achieve RCE/file deletion. Monitor for both attack patterns in sequence.
  • ·The privilege escalation exploit requires a valid, existing WordPress user email address as the target for permission grant; without a known user email the attack cannot complete.
  • ·The vulnerability affects all plugin versions up to and including 5.1.15 (per CVE-2024-4157 chain context) and is fixed in 5.1.17; detections should scope version checks accordingly.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.