CVE-2024-2771

EPSS 26.83%
Veröffentlicht 18.05.2024 08:15:06
Zuletzt bearbeitet 06.02.2025 18:33:57
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.16 - Missing Authorization to Settings Update and Limited Privilege Escalation

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's settings and features. This also makes it possible for unauthenticated attackers to delete manager accounts.

Mögliche Gegenmaßnahme

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder: Update to version 5.1.17, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Version *-5.1.16

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Fluentforms ≫ Contact Form SwPlatformwordpress Version < 5.1.17

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	26.83%	0.963

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://plugins.trac.wordpress.org/changeset/3088078/fluentform/trunk/app/Http/Policies/RoleManagerPolicy.php

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/071195d6-3452-4241-a8d3-92efc84e4850?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/071195d6-3452-4241-a8d3-92efc84e4850

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-2771

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-2771

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-2771

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-2771