WordPress Plugin Vulnerabilities

Contact Form for Plugin by Fluent Forms < 5.0.9 - Insecure Direct Object Reference

Description

The Contact Form for Plugin by Fluent Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 5.0.8 via the addIsRenderableFilter() function due to missing validation on the publication status of a form. This makes it possible for users to render and submit forms when the form is in an 'unpublished' state.

Affects Plugins

Plugin icon
fluentform
Fixed in 5.0.9

References

CVE
CVE-2023-41952
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/20f31e48-0dbb-498a-a400-681cacea7c9c

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Revan Arifio
Verified
No
WPVDB ID
dbce5fb4-9abf-4351-a9ae-01d304eb2e6c

Timeline

Publicly Published
2023-09-08 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2023-12-07 (about 2 years ago)

Other

Published
Title
Published
2024-11-08
Title
SKT Addons for Elementor < 3.4 - Authenticated (Contributor+) Post Disclosure
Published
2026-01-09
Title
WooCommerce Square < 5.1.2 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure in get_token_by_id
Published
2025-05-12
Title
Subaccounts for WooCommerce < 1.6.7 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover
Published
2023-06-23
Title
JS Help Desk - Best Help Desk & Support < 2.7.8 - Subscriber+ Ticket Manipulation via IDOR
Published
2025-05-05
Title
Reales WP STPT <= 2.1.2 - Authenticated (Subscriber+) Privilege Escalation via Password Update