WordPress FluentForm Plugin <= 5.1.15 is vulnerable to PHP Object Injection

Software FluentForm Type Plugin Vulnerable versions = 5.1.15 Fixed in 5.1.16 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE CVE-2024-4157 Patch priority Medium CVSS severity Medium 7.5 Developer Claim ownership PSID 3330782fcf1c Credits Tobias Weißhaar kun19 Required privilege...

WordPress FluentForm plugin <= 5.1.16 - Missing Authorization to Settings Update and Limited Privilege Escalation vulnerability

Missing Authorization to Settings Update and Limited Privilege Escalation vulnerability discovered by Tobias Weißhaar kun19 in WordPress Plugin FluentForm versions = 5.1.16...

WordPress FluentForm plugin <= 5.1.16 - Missing Authorization to Setting Manipulation vulnerability

Missing Authorization to Setting Manipulation vulnerability discovered by Tobias Weißhaar kun19 in WordPress Plugin FluentForm versions = 5.1.16...

WordPress FluentForm plugin <= 5.1.13 - Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by Tobias Weißhaar kun19 in WordPress Plugin FluentForm versions = 5.1.13...

WordPress FluentForm plugin <= 5.1.16 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Tobias Weißhaar kun19 in WordPress Plugin FluentForm versions = 5.1.16...

WordPress FluentForm Plugin <= 5.1.16 is vulnerable to Privilege Escalation

Software FluentForm Type Plugin Vulnerable versions = 5.1.16 Fixed in 5.1.17 OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2024-2771 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID d5d5aedf6c4b Credits Tobias...

WordPress FluentForm Plugin <= 5.1.16 is vulnerable to Cross Site Scripting (XSS)

Software FluentForm Type Plugin Vulnerable versions = 5.1.16 Fixed in 5.1.17 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-4709 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 5a184173f5e7 Credits Tobias Weißhaar kun19...

WordPress FluentForm Plugin <= 5.1.16 is vulnerable to Broken Access Control

Software FluentForm Type Plugin Vulnerable versions = 5.1.16 Fixed in 5.1.17 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-2782 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID c154cbdbc6dd Credits Tobias Weißhaar kun19 Required...

WordPress FluentForm Plugin <= 5.1.13 is vulnerable to Cross Site Scripting (XSS)

Software FluentForm Type Plugin Vulnerable versions = 5.1.13 Fixed in 5.1.14 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-2772 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID a989dc4961e7 Credits Tobias Weißhaar kun19...

WordPress FluentForm Plugin <= 5.1.9 is vulnerable to Cross Site Scripting (XSS)

Software FluentForm Type Plugin Vulnerable versions = 5.1.9 Fixed in 5.1.10 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-6957 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID ac30a92484ee Credits drop Required privilege...

WordPress FluentForm Plugin <= 5.1.5 is vulnerable to Cross Site Scripting (XSS)

Software FluentForm Type Plugin Vulnerable versions = 5.1.5 Fixed in 5.1.7 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-0618 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 0f6deb843ce1 Credits Akbar Kustirama Required...

CVE-2023-24410 WordPress FluentForm Plugin <= 4.3.25 is vulnerable to SQL Injection

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Contact Form - WPManageNinja LLC Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms fluentform allows SQL Injection.This issue affects Contact Form Plugin –...

CVE-2023-24410 WordPress FluentForm Plugin <= 4.3.25 is vulnerable to SQL Injection

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Contact Form - WPManageNinja LLC Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms fluentform allows SQL Injection.This issue affects Contact Form Plugin –...

WordPress FluentForm Plugin <= 5.0.8 is vulnerable to Broken Access Control

Software FluentForm Type Plugin Vulnerable versions = 5.0.8 Fixed in 5.0.9 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-41952 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID c500b58c976c Credits Revan Arifio Required privilege...

WordPress FluentForm Plugin <= 4.3.25 is vulnerable to SQL Injection

Software FluentForm Type Plugin Vulnerable versions = 4.3.25 Fixed in 5.0.0 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2023-24410 Patch priority Low CVSS severity Low 5.5 Developer Claim ownership PSID 40a669c23487 Credits Ravi Dharmawan Required privilege Administrator...

WordPress FluentForm Plugin < 4.3.25 is vulnerable to Cross Site Scripting (XSS)

Software FluentForm Type Plugin Vulnerable versions 4.3.25 Fixed in 4.3.25 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-0546 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID 479c93086620 Credits Vaibhav Rajput Required...

CVE-2022-3463 FluentForm < 4.3.13 - CSV Injection

The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection...

CVE-2022-3463 FluentForm < 4.3.13 - CSV Injection

The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection...

FluentForm < 4.3.13 - CSV Injection

The plugin does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection PoC - As unauthenticated, submit a form using =5+5 as value in any field - As admin, export the data as CSV /wp-admin/admin.php?page=fluentformsid=1=entries - open the CSV with a...

FluentForm < 4.3.13 - CSV Injection

The plugin does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection - As unauthenticated, submit a form using =5+5 as value in any field - As admin, export the data as CSV /wp-admin/admin.php?page=fluentforms&formid=1&route=entries - open the CSV with a...