CVE-2024-2782

HIGH EXPLOITED NUCLEI

WordPress FluentForms <= 5.1.16 - Broken Access Control

Title source: nuclei

Description

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp-json/fluentform/v1/global-settings REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to modify all of the plugin's settings.

Exploits (1)

nomisec WORKING POC

by whale93 · client-side

https://github.com/whale93/CVE-2024-2782-PoC

View Code ZIP pw:eip

Nuclei Templates (1)

WordPress FluentForms <= 5.1.16 - Broken Access Control

HIGHVERIFIEDby riteshs4hu

Shodan: http.html:"/wp-content/plugins/fluentform/"

FOFA: body="/wp-content/plugins/fluentform/"

References (2)

[Patch] https://plugins.trac.wordpress.org/changeset/3088078/fluentform/trunk/app/Http/Policies/GlobalSettingsPolicy.php

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/0814e7b3-404a-4db5-b564-46c9086ec048?source=cve

Scores

CVSS v3 7.5

EPSS 0.0725

EPSS Percentile 91.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

VulnCheck KEV 2024-05-20

CWE

CWE-862

Status published

Products (2)

fluentforms/contact_form < 5.1.17

techjewel/Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder < 5.1.16

Published May 18, 2024

Tracked Since Feb 18, 2026