Contact Form Plugin – Authenticated(Administrator+) Stored Cross-Site Scripting via imported form title – CVE-2024-0618 | WordPress Plugin Vulnerability Report
Plugin Name: Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms
Key Information:
- Software Type: Plugin
- Software Slug: fluentform
- Software Status: Active
- Software Author: techjewel
- Software Downloads: 5,679,069
- Active Installs: 400,000
- Last Updated: January 18, 2024
- Patched Versions: 5.1.7
- Affected Versions: <= 5.1.5
Vulnerability Details:
- Name: Fluent Forms <= 5.1.5 - Authenticated(Administrator+) Stored Cross-Site Scripting via imported form title
- Type: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
- CVE: CVE-2024-0618
- CVSS Score: 4.4 (Medium)
- Publicly Published: January 18, 2024
- Researcher: Akbar Kustirama
- Description: The Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via imported form titles in all versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Summary:
The Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms for WordPress has a vulnerability in versions up to and including 5.1.5 that allows authenticated users with admin access to inject malicious scripts via imported form titles. This cross-site scripting vulnerability has been patched in version 5.1.7.
Detailed Overview:
A vulnerability discovered by Akbar Kustirama makes it possible for authenticated WordPress users with admin access to inject arbitrary web scripts into Fluent Forms pages via imported form titles. This stored cross-site scripting vulnerability stems from insufficient sanitization of imported form title input, enabling malicious scripts to be executed when a compromised page is loaded. The vulnerability is made possible when unfiltered_html capabilities are restricted. Risks include exposing user session tokens, redirecting users to phishing sites, and more dependent on the injected script. Users are advised to update to version 5.1.7 or later to mitigate risks associated with this stored XSS vulnerability.
Advice for Users:
- Immediate Action: Update the Contact Form Plugin to version 5.1.7 or later.
- Check for Signs of Vulnerability: Review imported form titles for unauthorized code injections. Also monitor site traffic and behavior for irregularities.
- Alternate Plugins: Consider alternative contact form plugins like WPForms or Formidable Forms.
- Stay Updated: Enable automatic updates in WordPress to ensure plugins stay current.
Conclusion:
Fluent Forms addressed this vulnerability quickly by releasing version 5.1.7 to patch the stored XSS vulnerability. Users should ensure they are running the latest version as malicious actors may seek to exploit this issue, especially on outdated plugins.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/fluentform
Detailed Report:
Keeping your WordPress site secure requires constant vigilance – a task made easier when the community responsibly discloses and addresses vulnerabilities. Case in point is a recently patched stored cross-site scripting (XSS) flaw in a popular WordPress contact form plugin, Fluent Forms. While the plugin developers quickly released version 5.1.7 to address this vulnerability, any site running an older version of Fluent Forms could be at risk.
About Fluent Forms
Fluent Forms is a widely used WordPress plugin for building custom contact forms with over 5 million downloads. Created by techjewel, it touts ease of use with drag and drop form building and advanced features for accepting payments, multi-page forms, and conditional logic.
The Vulnerability Explained
Researcher Akbar Kustirama discovered a stored XSS vulnerability affecting Fluent Forms versions up to and including 5.1.5. The flaw makes it possible for users with admin access to a WordPress site to inject malicious scripts into imported Fluent Forms titles. When pages with a compromised title are viewed, the scripts execute – creating risks of exposing user tokens, redirecting to phishing sites, or other attacks depending on the injected code.
What Website Owners Need to Know
Left unaddressed, this vulnerability poses risks even if you don’t use Fluent Forms since compromised sites can be leveraged to attack site visitors. Risks grow for sites with outdated plugins. As a website owner, staying on top of vulnerabilities like this is key for security but admittedly time consuming.
Take These Steps to Protect Your Website
- If using Fluent Forms, update to version 5.1.7
- Enable automatic WordPress updates
- Limit plugins and themes to reputable sources
- Periodically scan site for malware or unauthorized code
While Fluent Forms resolved this issue, the lesson applies more broadly – convoluted as it may be, web security requires keeping software updated. Consider taking preventative measures like limiting plugins, using a managed WordPress host, and scanning for unauthorized code. Staying informed about disclosed vulnerabilities can prevent your site from being leveraged by bad actors.
The Importance of Staying Vigilant
Keeping a WordPress site secured is an ongoing process, but a worthy investment to safeguard your business and visitors. While vulnerabilities happen, responsibly disclosing and patching them is critical, as the WordPress community demonstrated here. The ease of updating Fluent Forms is a testament to using well-supported software, but website owners must do their part to apply patches.
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.