Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder Vulnerability – Multiple Stored Cross-Site Scripting Vulnerabilities – CVE-2024-6703, CVE-2024-6521, CVE-2024-6518, CVE-2024-6520 | WordPress Plugin Vulnerability Report

Plugin Name: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder

Key Information:

  • Software Type: Plugin
  • Software Slug: fluentform
  • Software Status: Active
  • Software Author: techjewel
  • Software Downloads: 7,722,361
  • Active Installs: 400,000
  • Last Updated: August 12, 2024
  • Patched Versions: 5.1.20
  • Affected Versions: <= 5.1.19

Vulnerability 1 Details:

  • Name: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.19
  • Title: Authenticated (Subscriber+) Stored Cross-Site Scripting via Welcome Screen Fields
  • Type: Stored Cross-Site Scripting (XSS)
  • CVE: CVE-2024-6703
  • CVSS Score: 4.9
  • Publicly Published: July 26, 2024
  • Researcher: zer0gh0st
  • Description: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘description’ and 'btn_txt' parameters in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This vulnerability allows attackers with Form Manager permissions and Subscriber+ user roles to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vulnerability 2 Details:

  • Name: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.19
  • Title: Authenticated (Administrator+) Stored Cross-Site Scripting
  • Type: Stored Cross-Site Scripting (XSS)
  • CVE: CVE-2024-6521
  • CVSS Score: 4.4
  • Publicly Published: July 26, 2024
  • Researcher: Joel Indra - Fourqinex Solutions
  • Description: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via dropdown fields in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This issue particularly affects multi-site installations and those where unfiltered_html has been disabled.

Vulnerability 3 Details:

  • Name: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.19
  • Title: Authenticated (Administrator+) Stored Cross-Site Scripting
  • Type: Stored Cross-Site Scripting (XSS)
  • CVE: CVE-2024-6518
  • CVSS Score: 4.4
  • Publicly Published: July 26, 2024
  • Researcher: Joel Indra - Fourqinex Solutions
  • Description: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via input fields in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This issue primarily affects multi-site installations and those where unfiltered_html has been disabled.

Vulnerability 4 Details:

  • Name: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.19
  • Title: Authenticated (Administrator+) Stored Cross-Site Scripting
  • Type: Stored Cross-Site Scripting (XSS)
  • CVE: CVE-2024-6520
  • CVSS Score: 4.4
  • Publicly Published: July 26, 2024
  • Researcher: Joel Indra - Fourqinex Solutions
  • Description: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom error messages in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This issue is particularly relevant for multi-site installations and installations where unfiltered_html has been disabled.

Summary:

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder for WordPress has multiple vulnerabilities in versions up to and including 5.1.19 that allow for authenticated Stored Cross-Site Scripting (XSS) attacks. These vulnerabilities have been patched in version 5.1.20.

Detailed Overview:

The vulnerabilities in the Fluent Forms plugin were identified by researchers zer0gh0st and Joel Indra of Fourqinex Solutions. These vulnerabilities allow authenticated users with various permission levels (Subscriber+, Administrator+) to inject malicious scripts into the plugin’s fields, which can then execute when accessed by another user. The potential risks include unauthorized content changes, the execution of malicious scripts, and exposure of sensitive data. These vulnerabilities are particularly concerning for multi-site installations and environments where unfiltered_html has been disabled, as they increase the scope and impact of possible attacks.

The developers have responded by releasing version 5.1.20, which addresses these issues by improving input sanitization and output escaping across all affected fields.

Advice for Users:

  • Immediate Action: Users are strongly encouraged to update to version 5.1.20 or later immediately to protect their sites from these vulnerabilities.
  • Check for Signs of Vulnerability: Users should review their site for any unexpected changes, particularly in forms and user-generated content areas. If you notice anything suspicious, consult with a security expert.
  • Alternate Plugins: While the patched version is available, users may want to consider alternative form builder plugins with a stronger security track record.
  • Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities like these.

Conclusion:

The prompt response from the plugin developers to patch these vulnerabilities underscores the importance of timely updates. Users are advised to ensure that they are running version 5.1.20 or later to secure their WordPress installations.

References:

Detailed Report: 

In today’s fast-paced digital world, maintaining the security of your WordPress website is critical. One of the most effective ways to protect your site from potential threats is to keep all your plugins up to date. Recently, a series of vulnerabilities were discovered in the widely used Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder. These vulnerabilities, affecting versions up to and including 5.1.19, allow for authenticated Stored Cross-Site Scripting (XSS) attacks. If left unpatched, these vulnerabilities could expose your website to unauthorized content changes, malicious script executions, and even the potential leakage of sensitive data.

Vulnerability Details:

The vulnerabilities in the Fluent Forms plugin were identified by researchers zer0gh0st and Joel Indra of Fourqinex Solutions. These vulnerabilities allow authenticated users with varying levels of access (Subscriber+ and Administrator+) to inject malicious scripts into specific fields of the plugin. These scripts can then execute whenever a user accesses an affected page, leading to potential unauthorized actions or data exposure.

Risks and Potential Impacts:

The risks associated with these vulnerabilities are significant, particularly for small business owners who may not have the time or resources to continually monitor their website for security issues. If exploited, these vulnerabilities could allow attackers to inject malicious scripts into your site, leading to unauthorized changes, data breaches, and potential harm to your business’s reputation. The fact that these vulnerabilities impact various levels of users (from Subscribers to Administrators) makes them especially concerning for multi-site installations and websites with stricter content filtering settings disabled.

How to Remediate the Vulnerability:

To protect your website from these vulnerabilities, the developers of the Fluent Forms plugin have released version 5.1.20, which patches these issues by improving input sanitization and output escaping across all affected fields. Here’s what you need to do:

  1. Immediate Action: Update your Fluent Forms plugin to version 5.1.20 or later as soon as possible. This update is critical for securing your site against potential exploitation.
  2. Check for Signs of Vulnerability: Review your website for any unexpected changes, particularly in form fields and areas where user-generated content is displayed. If you notice anything unusual, consult with a security expert to perform a thorough audit.
  3. Consider Alternative Plugins: If you are concerned about the security history of the Fluent Forms plugin, you may want to explore alternative form builder plugins with a stronger security track record. Ensure that any new plugin you choose meets your needs and is regularly updated.
  4. Stay Updated: Regularly checking for and applying updates to all your WordPress plugins is one of the most effective ways to protect your site from vulnerabilities. Consider enabling automatic updates or setting a reminder to manually check for updates weekly.

Overview of Previous Vulnerabilities:

It’s important to note that this isn’t the first time the Fluent Forms plugin has faced security challenges. There have been 12 previous vulnerabilities reported since June 16, 2021. While the developers have consistently addressed these issues with updates, the recurrence of vulnerabilities highlights the importance of staying vigilant and proactive in your website’s security management.

Conclusion:

For small business owners, keeping up with security vulnerabilities can be overwhelming, especially when you’re focused on running your business. However, the risks of neglecting website security are too great to ignore. Regular updates, vigilant monitoring, and professional assistance when needed are all critical steps in protecting your website. By staying proactive, you can safeguard your business, your customers, and your online presence from potential threats.

If you don’t have the time or expertise to manage these updates yourself, consider hiring a professional to ensure your website remains secure and up to date. Taking these steps now can save you from potential headaches and losses in the future.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder Vulnerability – Multiple Stored Cross-Site Scripting Vulnerabilities – CVE-2024-6703, CVE-2024-6521, CVE-2024-6518, CVE-2024-6520 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment