cbcvebase.
CVE-2024-2782
published 2024-05-18

CVE-2024-2782: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized modification of…

PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.23%
65.2th percentile
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp-json/fluentform/v1/global-settings REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to modify all of the plugin's settings.

Affected

1 ranges
VendorProductVersion rangeFixed in
fluentformscontact_form< 5.1.175.1.17

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/fluentform/v1/global-settings
path/wp-content/plugins/fluentform/
commandPOST /wp-json/fluentform/v1/global-settings HTTP/1.1 Content-Type: application/json {"key": "emailSummarySettings", "email_report": {"status": "yes", "send_to_type": "custom", "custom_recipients": "{{email}}", "sending_day": "Mon"}}
  • Detect unauthenticated POST requests to the Fluent Forms global-settings REST endpoint; no authentication headers should be present.
  • Fingerprint vulnerable WordPress installations by searching for the string /wp-content/plugins/fluentform/ in HTTP response bodies.
  • The attack payload targets the JSON key 'emailSummarySettings' to redirect email reports to an attacker-controlled address; monitor for unexpected changes to this setting.
  • ·The vulnerability affects all plugin versions up to and including 5.1.16; version 5.1.17 and later are patched.
  • ·The Nuclei template is marked 'intrusive' because it actively modifies plugin settings (emailSummarySettings) on the target; use only in authorized testing environments.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.