CVE-2024-2782

HIGH EXPLOITED NUCLEI

WordPress FluentForms <= 5.1.16 - Broken Access Control

Title source: nuclei

Exploitation Summary

CVE-2024-2782 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including whale93. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC demonstrates an unauthenticated REST API endpoint vulnerability in Fluent Forms for WordPress, allowing attackers to modify plugin settings via a crafted POST request. The exploit leverages missing capability checks to alter email recipient settings.

Description

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp-json/fluentform/v1/global-settings REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to modify all of the plugin's settings.

Exploits (1)

nomisec WORKING POC

by whale93 · client-side

https://github.com/whale93/CVE-2024-2782-PoC

View Code ZIP pw:eip

This PoC demonstrates an unauthenticated REST API endpoint vulnerability in Fluent Forms for WordPress, allowing attackers to modify plugin settings via a crafted POST request. The exploit leverages missing capability checks to alter email recipient settings.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Contact Form – Fluent Forms for WordPress ≤ 5.1.16

No auth needed

Prerequisites: WordPress site with Fluent Forms ≤ 5.1.16 active · Access to the site’s REST API

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress FluentForms <= 5.1.16 - Broken Access Control

HIGHVERIFIEDby riteshs4hu

Shodan: http.html:"/wp-content/plugins/fluentform/"

FOFA: body="/wp-content/plugins/fluentform/"

References (2)

Core 2

Core References

Patch

https://plugins.trac.wordpress.org/changeset/3088078/fluentform/trunk/app/Http/Policies/GlobalSettingsPolicy.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/0814e7b3-404a-4db5-b564-46c9086ec048?source=cve

Scores

CVSS v3 7.5

EPSS 0.0123

EPSS Percentile 64.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2024-05-20

CWE

CWE-862

Status published

Products (2)

fluentforms/contact_form < 5.1.17

techjewel/Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder < 5.1.16

Published May 18, 2024

Tracked Since Feb 18, 2026