CVE-2024-2771 Scanner
CVE-2024-2771 Scanner - Privilege Escalation vulnerability in Contact Form Plugin by Fluent Forms
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
16 days 22 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
This scanner is designed for the Contact Form Plugin by Fluent Forms, a popular WordPress plugin used by website owners to create contact forms with ease. Website administrators and developers commonly leverage this plugin to enhance user interaction and collect visitor information efficiently. It provides users with a variety of configurations and customizations suited for diverse communication needs within websites. The plugin aims to integrate seamlessly with WordPress, offering an intuitive interface and an array of features to streamline form creation and management. Its widespread usage in the digital ecosystem makes it crucial to address vulnerabilities promptly to safeguard user data.
This vulnerability centers on a privilege escalation flaw due to an absent capability check on the REST API endpoint of the plugin. It allows unauthenticated attackers to exploit the API, enabling them to assign management permissions beyond intended limits. Such access grants them the ability to delve into plugin settings and features unauthorizedly, thereby heightening security risks. The flaw exists in versions of the plugin before 5.1.17, permitting potential manipulation of user privileges and compromising the security posture of the affected WordPress installations.
Technical details reveal that the vulnerable endpoint is '/wp-json/fluentform/v1/managers', which lacks adequate user access validation. Attackers can target this point with crafted requests to gain extra permissions on the plugin's settings. The flaw primarily involves missing authentication checks, which should restrict user roles to prevent unauthorized privilege allocation. As a result, malicious actors can escalate privileges by modifying specific parameters within the API calls, thus exerting control over sensitive plugin functionalities.
Potential effects of this vulnerability, if exploited, can lead to attackers gaining unwarranted access to various settings and data managed by the plugin, including sensitive user inputs. The exploitation allows unauthorized deletion of manager accounts, jeopardizing the integrity and confidentiality of the website data. Such unauthorized modifications can severely undermine the trustworthiness of the website and potentially lead to additional security breaches affecting user privacy.
REFERENCES
