WordPress Plugin Vulnerabilities

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder < 6.0.0 - IP-Spoofing

Description

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 5.2.12 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers spoof their IP address and submit forms that may have IP-based restrictions.

Affects Plugins

Plugin icon
fluentform
Fixed in 6.0.0

References

CVE
CVE-2024-13666
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e06fe8e4-e27a-4492-b175-3b0846e4cf10

Classification

Type
SPOOFING
OWASP top 10
A5: Broken Access Control
CWE
CWE-290
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
shaman0x01
Verified
No
WPVDB ID
5f9b6802-cfb9-4089-ab81-df9d29205e69

Timeline

Publicly Published
2025-03-21 (about 1 year ago)
Added
2025-03-24 (about 1 year ago)
Last Updated
2025-03-24 (about 1 year ago)

Other

Published
Title
Published
2024-03-27
Title
coreActivity < 2.1 - Unauthenticated IP Spoofing
Published
2023-12-29
Title
Malware Scanner < 4.7.2 - IP Spoofing
Published
2024-04-27
Title
Survey Maker < 4.1.0 - IP Address Spoofing
Published
2025-10-30
Title
OOPSpam Anti-Spam < 1.2.54 - Unauthenticated IP Header Spoofing
Published
2023-12-27
Title
Rate my Post < 3.4.3 - IP Spoofing