WordPress Plugin Vulnerabilities

Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder < 5.1.20 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Welcome Screen Fields

Description

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘description’ and 'btn_txt' parameters in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This makes it possible for attackers with the Form Manager permissions and Subscriber+ user role, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
fluentform
Fixed in 5.1.20

References

CVE
CVE-2024-6703
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/69dc9236-8079-434f-b2b5-060a0c5eba46

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
zer0gh0st
Verified
No
WPVDB ID
bf2fd464-ccf3-435b-ba83-65c432976005

Timeline

Publicly Published
2024-07-26 (about 1 year ago)
Added
2024-07-27 (about 1 year ago)
Last Updated
2024-07-27 (about 1 year ago)

Other

Published
Title
Published
2025-09-22
Title
VikRestaurants Table Reservations and Take-Away < 1.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-02-02
Title
WP Church Center <= 1.3.3 - Reflected Cross-Site Scripting
Published
2024-11-18
Title
TM Islamic Helper <= 1.0.1 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
Wordpress 2.8.1 - URL Remote Cross-Site Scripting (XSS)
Published
2024-06-19
Title
Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via cfs[post_title]