10 matches found
Contact Form Plugin by Fluent Forms < 5.1.17 - Unauthenticated Limited Privilege Escalation
The plugin is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's...
CVE-2024-4157
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.1.15 via deserialization of untrusted input in the extractDynamicValues function. This makes it possible for...
CVE-2024-4157 Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.15 - PHP Object Injection via extractDynamicValues
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.1.15 via deserialization of untrusted input in the extractDynamicValues function. This makes it possible for...
CVE-2024-4157 Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.15 - PHP Object Injection via extractDynamicValues
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.1.15 via deserialization of untrusted input in the extractDynamicValues function. This makes it possible for...
CVE-2024-4157
CVE-2024-4157 covers a PHP Object Injection vulnerability in the WordPress plugin “Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder.” All versions up to and including 5.1.15 are affected via deserialization in the extractDynamicValues function. Exploitation re...
Contact Form Plugin by Fluent Forms < 5.1.16 - Contributor+ PHP Object Injection
Description The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input in the extractDynamicValues function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additiona...
CVE-2024-2771
creationtimestamp| type| source ---|---|--- 2024-05-21 15:30:04+00:00| seen| https://t.me/HackingInsights/727 2025-08-03 09:00:06+00:00| published-proof-of-concept| Telegram/k9l6whAFym9ZbJh5WMNbuyJuC8dcnnMOMGxizovh2wCYo8 2025-08-05 21:02:20+00:00| seen|...
Contact Form Plugin by Fluent Forms < 5.1.14 - Subscriber+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via form settings due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to the Fluent Forms settings, to inject arbitrary web scripts in pages that will execut...
WordPress FluentForm Plugin <= 5.1.16 is vulnerable to Privilege Escalation
Software FluentForm Type Plugin Vulnerable versions = 5.1.16 Fixed in 5.1.17 OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2024-2771 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID d5d5aedf6c4b Credits Tobias...
CVE-2024-2771
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint in all versions up to, and including, 5.1.16. This makes ...