Contact Form Plugin Vulnerability – PHP Object Injection via extractDynamicValues – CVE-2024-4157 | WordPress Plugin Vulnerability Report

Plugin Name: Contact Form Plugin

Key Information:

  • Software Type: Plugin
  • Software Slug: fluentform
  • Software Status: Active
  • Software Author: techjewel
  • Software Downloads: 7,048,138
  • Active Installs: 400,000
  • Last Updated: May 21, 2024
  • Patched Versions: 5.1.16
  • Affected Versions: <= 5.1.15

Vulnerability Details:

  • Name: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.15 - PHP Object Injection via extractDynamicValues
  • Type: Deserialization of Untrusted Data
  • CVE: CVE-2024-4157
  • CVSS Score: 7.5 (High)
  • Publicly Published: May 21, 2024
  • Researcher: Tobias Weißhaar
  • Description: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.1.15 via deserialization of untrusted input in the extractDynamicValues function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. Successful exploitation requires the attacker to have "View Form" and "Manage Form" permissions, which must be explicitly set by an administrator. However, this requirement can be bypassed when this vulnerability is chained with CVE-2024-2771.

Summary:

The Contact Form Plugin for WordPress has a vulnerability in versions up to and including 5.1.15 that allows authenticated attackers with contributor-level access and above to inject a PHP Object via deserialization of untrusted input in the extractDynamicValues function. This vulnerability has been patched in version 5.1.16.

Detailed Overview:

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input in the extractDynamicValues function. This vulnerability was discovered by researcher Tobias Weißhaar and publicly published on May 21, 2024. The vulnerability affects all versions of the plugin up to and including 5.1.15. Successful exploitation requires the attacker to have "View Form" and "Manage Form" permissions, which must be explicitly set by an administrator. However, this requirement can be bypassed when this vulnerability is chained with CVE-2024-2771. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Advice for Users:

  1. Immediate Action: Users should update the Contact Form Plugin to version 5.1.16 or later to secure their WordPress installations.
  2. Check for Signs of Vulnerability: Users should check their WordPress site for any signs of compromise, such as unauthorized changes to files or database entries.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 5.1.16 or later to secure their WordPress installations.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/fluentform

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/fluentform/contact-form-plugin-by-fluent-forms-for-quiz-survey-and-drag-drop-wp-form-builder-5115-php-object-injection-via-extractdynamicvalues

Detailed Report:

As a website owner, keeping your WordPress site secure should be a top priority. With the ever-evolving landscape of cyber threats, it's crucial to stay informed about potential vulnerabilities and take timely action to protect your site and your users' data. In this blog post, we'll discuss a recently discovered security vulnerability in the popular Contact Form Plugin by Fluent Forms and what you can do to mitigate the risk.

The Contact Form Plugin by Fluent Forms

The Contact Form Plugin by Fluent Forms is a popular WordPress plugin that allows users to create quizzes, surveys, and drag & drop form builders. It has been downloaded over 7 million times and has an active install base of 400,000 websites. The plugin was last updated on May 21, 2024.

The Vulnerability: PHP Object Injection via extractDynamicValues

On May 21, 2024, researcher Tobias Weißhaar publicly disclosed a critical vulnerability in the Contact Form Plugin by Fluent Forms. This vulnerability, identified as CVE-2024-4157, is a PHP Object Injection via deserialization of untrusted input in the extractDynamicValues function. It affects all versions of the plugin up to and including 5.1.15.

The vulnerability allows authenticated attackers with contributor-level access and above to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. Successful exploitation requires the attacker to have "View Form" and "Manage Form" permissions, which must be explicitly set by an administrator. However, this requirement can be bypassed when this vulnerability is chained with CVE-2024-2771.

Risks and Potential Impacts

If successfully exploited, this vulnerability could lead to severe consequences for your WordPress site. Attackers could potentially delete critical files, steal sensitive user data, or execute malicious code on your website. This could result in data breaches, website downtime, and significant damage to your brand's reputation.

How to Remediate the Vulnerability

To protect your WordPress site from this vulnerability, it is crucial to update the Contact Form Plugin to version 5.1.16 or later. This patched version addresses the vulnerability and prevents potential attacks. Additionally, we recommend conducting a thorough review of your WordPress site to check for any signs of compromise, such as unauthorized changes to files or database entries.

If you're concerned about the security of your WordPress site or need assistance with updating your plugins, seeking help from experienced professionals is highly recommended.

Previous Vulnerabilities

It is important to note that this is not the first vulnerability discovered in the Contact Form Plugin by Fluent Forms. Since June 2021, there have been 11 previous vulnerabilities reported. This highlights the importance of staying vigilant and keeping your plugins up to date.

The Importance of Staying on Top of Security Vulnerabilities

As a small business owner, managing a WordPress website can be challenging, especially when it comes to staying on top of security vulnerabilities. However, neglecting website security can have severe consequences for your business. By regularly updating your plugins, monitoring your site for suspicious activity, and seeking professional help when needed, you can significantly reduce the risk of falling victim to cyber attacks.

Remember, investing in website security is not just about protecting your site; it's about protecting your business, your customers, and your reputation. Don't wait until it's too late. Take proactive steps to secure your WordPress site and ensure a safe and reliable online presence for your business.

Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.

Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.

Contact Form Plugin Vulnerability – PHP Object Injection via extractDynamicValues – CVE-2024-4157 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment