Contact Form Plugin by Fluent Forms < 5.1.17 – Unauthenticated Limited Privilege Escalation | CVE 2024-2771 | Plugin Vulnerabilities

Description

The plugin is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's settings and features. This also makes it possible for unauthenticated attackers to delete manager accounts.

Affects Plugins

Fixed in 5.1.17

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/071195d6-3452-4241-a8d3-92efc84e4850

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Tobias Weißhaar (kun_19)

Verified

No

WPVDB ID

64dabc4a-7df1-44d8-b8cf-376fcd6be318

Timeline

Publicly Published

2024-05-17 (about 2 years ago)

Added

2024-05-21 (about 2 years ago)

Last Updated

2024-05-21 (about 2 years ago)

Other

Published

Title

Published

2026-05-28

Title

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder < 5.1.3 - Missing Authorization

Published

2023-11-15

Title

Elementor Addon Elements < 1.12.8 - Unauthenticated Post ID/Tile Disclosure

Published

2025-12-31

Title

Core Web Vitals & PageSpeed Booster <= 1.0.27 - Missing Authorization

Published

2024-12-14

Title

Easy Site Importer <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Settings Change

Published

2024-11-11

Title

Matix Popup Builder <= 1.0.0 - Unauthenticated Arbitrary Options Update