Contact Form Plugin by Fluent Forms Vulnerability- Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2023-6957 | WordPress Plugin Vulnerability Report
Plugin Name: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder
Key Information:
- Software Type: Plugin
- Software Slug: fluentform
- Software Status: Active
- Software Author: techjewel
- Software Downloads: 5,973,827
- Active Installs: 400,000
- Last Updated: March 7, 2024
- Patched Versions: 5.1.10
- Affected Versions: <= 5.1.9
Vulnerability Details:
- Name: Fluent Forms <= 5.1.9
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting
- Type: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2023-6957
- CVSS Score: 4.9
- Publicly Published: March 5, 2024
- Researcher: drop
- Description: The Fluent Forms plugin is vulnerable to Stored Cross-Site Scripting (XSS) due to inadequate input sanitization and output escaping in all versions up to and including 5.1.9. This vulnerability allows attackers, with at least contributor-level access, to inject malicious scripts into web pages that will execute when accessed by users. The risk level of this vulnerability varies based on the permissions set by administrators for form creation, which could be as low as contributor level, though the default setting is admin.
Summary:
The Contact Form Plugin by Fluent Forms for WordPress presents a Stored Cross-Site Scripting vulnerability in versions up to and including 5.1.9. This security flaw, which allows for the injection and execution of arbitrary web scripts, has been effectively addressed in version 5.1.10.
Detailed Overview:
Discovered by the researcher known as drop, this vulnerability within Fluent Forms exposes a critical security risk, particularly in environments where lower-level users are permitted to create forms. Stored XSS vulnerabilities like this one are especially concerning as they can lead to a range of exploits from stealing user data to taking over admin accounts. It is crucial for administrators to understand the extent of access granted to users and the potential implications it has on site security.
Advice for Users:
- Immediate Action: All users of Fluent Forms should immediately update to version 5.1.10, which contains the necessary patches for this vulnerability.
- Check for Signs of Vulnerability: Admins should review user roles and permissions, ensuring that only trusted users have the capability to create or modify forms. Additionally, inspecting form content for unexpected or malicious scripts can help identify if exploitation has occurred.
- Alternate Plugins: While the patched version is secure, users who are concerned about security may consider exploring alternative form builder plugins with a strong emphasis on security and regular updates.
- Stay Updated: The importance of keeping all WordPress plugins, themes, and the core updated cannot be overstated. Regular updates are vital for maintaining security and functionality.
Conclusion:
The swift action taken by Fluent Forms' developers to release a patch for this vulnerability highlights the ongoing need for vigilance in the digital space. By updating to version 5.1.10, users can protect their WordPress sites from potential exploitation. It is a poignant reminder for all WordPress site owners about the importance of regular software updates and diligent site management practices.