Fluentforms Contact Form vulnerabilities
19 known vulnerabilities affecting fluentforms/contact_form.
Total CVEs
19
CISA KEV
0
Public exploits
2
Exploited in wild
2
Severity breakdown
CRITICAL3HIGH3MEDIUM13
Vulnerabilities
Page 1 of 1
CVE-2024-2771P1CRITICALCVSS 9.8ExploitedPoCfixed in 5.1.172024-05-18
CVE-2024-2771 [CRITICAL] CWE-862 CVE-2024-2771: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to grant use
nvd
CVE-2024-2782P2HIGHCVSS 7.5ExploitedPoCfixed in 5.1.172024-05-18
CVE-2024-2782 [HIGH] CWE-862 CVE-2024-2782: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp-json/fluentform/v1/global-settings REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attack
nvd
CVE-2023-24410P3CRITICALCVSS 9.8≤ 4.3.252023-10-31
CVE-2023-24410 [CRITICAL] CWE-89 CVE-2023-24410: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Contact Form - WPManageNinja LLC Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms fluentform allows SQL Injection.This issue affects Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by F
nvd
CVE-2024-4157P3HIGHCVSS 8.8fixed in 5.1.162024-05-22
CVE-2024-4157 [HIGH] CVE-2024-4157: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.1.15 via deserialization of untrusted input in the extractDynamicValues function. This makes it possible for authenticated attackers, with contributor-level access and above,
nvd
CVE-2021-34620P3HIGHCVSS 8.8fixed in 3.6.672021-07-07
CVE-2021-34620 [HIGH] CWE-79 CVE-2021-34620: The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leadin
The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions
nvd
CVE-2022-3463P3CRITICALCVSS 9.8fixed in 4.3.132022-11-07
CVE-2022-3463 [CRITICAL] CWE-1236 CVE-2022-3463: The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when expo
The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection
nvd
CVE-2024-10646P4MEDIUMCVSS 6.1fixed in 5.2.72024-12-14
CVE-2024-10646 [MEDIUM] CWE-79 CVE-2024-10646: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form's subject parameter in all versions up to, and including, 5.2.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inj
nvd
CVE-2023-0546P4MEDIUMCVSS 5.4fixed in 4.3.252023-04-10
CVE-2023-0546 [MEDIUM] CWE-79 CVE-2023-0546: The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the src
The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the form.
nvd
CVE-2024-6703P4MEDIUMCVSS 5.4fixed in 5.1.202024-07-27
CVE-2024-6703 [MEDIUM] CWE-79 CVE-2024-6703: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘description’ and 'btn_txt' parameters in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This makes it possible for attackers with the
nvd
CVE-2024-9651P4MEDIUMCVSS 6.1fixed in 5.2.12024-12-09
CVE-2024-9651 [MEDIUM] CWE-79 CVE-2024-9651: The Fluent Forms WordPress plugin before 5.2.1 does not sanitise and escape some of its settings, w
The Fluent Forms WordPress plugin before 5.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
nvd
CVE-2024-4709P4MEDIUMCVSS 5.4fixed in 5.1.172024-05-18
CVE-2024-4709 [MEDIUM] CWE-79 CVE-2024-4709: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘subject’ parameter in versions up to, and including, 5.1.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-
nvd
CVE-2023-6957P4MEDIUMCVSS 5.4fixed in 5.1.102024-03-13
CVE-2023-6957 [MEDIUM] CWE-79 CVE-2023-6957: The Fluent Forms plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored C
The Fluent Forms plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.9 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an inject
nvd
CVE-2024-2772P4MEDIUMCVSS 5.4fixed in 5.1.142024-05-18
CVE-2024-2772 [MEDIUM] CVE-2024-2772: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in all versions up to, and including, 5.1.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to the Fluent Form
nvd
CVE-2024-5053P4MEDIUMCVSS 4.3fixed in 5.1.192024-09-01
CVE-2024-5053 [MEDIUM] CWE-285 CVE-2024-5053: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized Malichimp API key update due to an insufficient capability check on the verifyRequest function in all versions up to, and including, 5.1.18. This makes it possible for Form Managers with a Subscriber-level access
nvd
CVE-2024-0618P4MEDIUMCVSS 4.8≤ 5.1.52024-01-27
CVE-2024-0618 [MEDIUM] CWE-79 CVE-2024-0618: The Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms plugin f
The Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via imported form titles in all versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administra
nvd
CVE-2024-9528P4MEDIUMCVSS 4.8fixed in 5.1.202024-10-05
CVE-2024-9528 [MEDIUM] CWE-79 CVE-2024-9528: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form label fields in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to edit
nvd
CVE-2024-6521P4MEDIUMCVSS 4.8fixed in 5.1.202024-07-27
CVE-2024-6521 [MEDIUM] CWE-79 CVE-2024-6521: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via dropdown fields in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-le
nvd
CVE-2024-6518P4MEDIUMCVSS 4.8fixed in 5.1.202024-07-27
CVE-2024-6518 [MEDIUM] CWE-79 CVE-2024-6518: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via input fields in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level
nvd
CVE-2024-6520P4MEDIUMCVSS 4.8fixed in 5.1.202024-07-27
CVE-2024-6520 [MEDIUM] CWE-79 CVE-2024-6520: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom error message in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrat
nvd