Contact Form Plugin by Fluent Forms < 5.1.17 – Contributor+ Stored XSS | CVE 2024-4709 | Plugin Vulnerabilities

Description

The plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘subject’ parameter due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, and access granted by an administrator, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Fixed in 5.1.17

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5fe317a6-a391-441a-aac8-c8fa57e73169

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Tobias Weißhaar (kun_19)

Verified

No

WPVDB ID

b8cfb159-8250-45a5-8bae-3f219563c3b0

Timeline

Publicly Published

2024-05-17 (about 1 year ago)

Added

2024-05-21 (about 1 year ago)

Last Updated

2024-05-21 (about 1 year ago)

Other

Published

Title

Published

2025-05-19

Title

WPAdverts < 2.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-12-11

Title

Newsletter Subscriptions <= 2.1 - Reflected Cross-Site Scripting

Published

2025-01-16

Title

Rio Photo Gallery <= 0.1 - Reflected Cross-Site Scripting

Published

2026-03-06

Title

Media Library Alt Text Editor <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_id' Shortcode Attribute

Published

2022-05-30

Title

Google XML Sitemaps < 4.1.3 - Admin+ Stored Cross-Site Scripting