CVE-2024-2771

CVE-2024-2771 affects the Contact Form Plugin by Fluent Forms for WordPress. The issue is an unauthenticated privilege-escalation caused by a missing capability check on the REST endpoint /wp-json/fluentform/v1/managers. Vulnerable in all versions up to 5.1.16, allowing an unauthenticated attacke...

CVE-2024-2782

CVE-2024-2782 affects WordPress plugin Fluent Forms (Contact Form Plugin for Quiz, Survey, and Drag & Drop WP Form Builder) versions

CVE-2023-24410

CVE-2023-24410: WordPress plugin FluentForm (Contact Form Plugin – Fastest Contact Form Builder)

CVE-2024-2772

The CVE-2024-2772 entry concerns the WordPress plugin “Contact Form Plugin by Fluent Forms” for Quiz, Survey, and Drag & Drop WP Form Builder. It is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.1.13 due to insufficient input sanitization and output escaping in f...

CVE-2024-0618

CVE-2024-0618 affects the Fluent Form plugin for WordPress (Contact Form Plugin – Fastest Contact Form Builder) up to version 5.1.5. The issue is a stored Cross-Site Scripting (XSS) vulnerability caused by insufficient input sanitization and output escaping for imported form titles. The vulnerabi...

CVE-2024-5053

CVE-2024-5053 affects the Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder on WordPress. Root cause is an insufficient capability check in verifyRequest, enabling Form Managers with Subscriber+ roles to modify the Mailchimp API key and potentially redirect int...

CVE-2023-0546

CVE-2023-0546 affects the Contact Form Plugin WordPress plugin (pre-4.3.25). The issue is stored XSS via improper sanitization/escaping of the srcdoc attribute in iframes within the plugin’s custom HTML field, enabling a logged-in user with Contributor+ privileges to inject arbitrary JavaScript t...

CVE-2024-4157

CVE-2024-4157 covers a PHP Object Injection vulnerability in the WordPress plugin “Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder.” All versions up to and including 5.1.15 are affected via deserialization in the extractDynamicValues function. Exploitation re...

CVE-2022-3463

CVE-2022-3463 concerns the WordPress Contact Form Plugin (FluentForm) before 4.3.13. The vulnerability is a CSV injection caused by not validating and escaping fields when exporting form entries as CSV. Affected product: WordPress FluentForm / Contact Form Plugin prior to 4.3.13. Impact: potentia...

CVE-2024-10646

CVE-2024-10646 relates to the WordPress plugin Fluent Forms – Contact Forms, Survey & Form Builder . The vulnerability is a Stored Cross-Site Scripting (XSS) in the form’s subject parameter, exploitable in all versions up to 5.2.6 due to insufficient input sanitization and output escaping. The im...

CVE-2024-6703

CVE-2024-6703 affects the WordPress plugin “Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder.” The vulnerability is a Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping in the description and btn_txt parameters, exploi...

CVE-2024-9651

CVE-2024-9651 relates to the Fluent Forms WordPress plugin, prior to version 5.2.1, where insufficient sanitization/escaping of certain plugin settings permits stored XSS. The issue can be exploited by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (such as in multisi...

CVE-2024-4709

CVE-2024-4709 affects the Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder on WordPress. The stored XSS vulnerability occurs in the subject parameter of versions up to 5.1.16 due to inadequate input sanitization and output escaping. Exploitation requires authe...

CVE-2024-6518

The CVE-2024-6518 entry concerns the Fluent Forms Contact Form Plugin for WordPress (the Fluent Form plugin suite). It specifies Stored Cross-Site Scripting in all versions up to and including 5.1.19, caused by insufficient input sanitization and output escaping. The vulnerability requires authen...

CVE-2021-34620

CVE-2021-34620 affects the WP Fluent Forms plugin for WordPress, specifically versions prior to 3.6.67. The root cause is a missing nonce check in the access control function for administrative AJAX actions, enabling Cross-Site Request Forgery that can lead to stored Cross-Site Scripting and a li...

CVE-2024-6520

CVE-2024-6520 concerns the WordPress Fluent Forms Contact Form Plugin (Quiz, Survey, Drag & Drop) with a Stored Cross-Site Scripting flaw in versions up to 5.1.19, caused by insufficient input sanitization and output escaping. Exploitation requires Administrator-level privileges (and above) and c...

CVE-2024-6521

CVE-2024-6521 affects the WordPress plugin Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder. All versions up to 5.1.19 are vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. Exploitation requires Administrator...

CVE-2024-9528

CVE-2024-9528 : Stored Cross-Site Scripting in the WordPress plugin “Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder” (versions ≤ 5.1.19). Root cause: insufficient input sanitization and output escaping in form label fields, allowing an authenticated attacker...

CVE-2023-6957

CVE-2023-6957 (Fluent Forms, WordPress) Stored XSS in Fluent Forms up to 5.1.9 caused by insufficient input sanitization and output escaping. Impact depends on who can create forms (admin/contributor range); scripts can execute when a user visits an injected page. Remediation: upgrade to a versio...