CVE-2024-5053: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.18 - Missing Authorization to Authenticated (Subscriber+) Mailchimp Integration Modification
First published: Sun Sep 01 2024(Updated: )
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized Malichimp API key update due to an insufficient capability check on the verifyRequest function in all versions up to, and including, 5.1.18. This makes it possible for Form Managers with a Subscriber-level access and above to modify the Mailchimp API key used for integration. At the same time, missing Mailchimp API key validation allows the redirect of the integration requests to the attacker-controlled server.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fluent Forms | <5.1.19 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8242e0f0-b9c5-46fe-b691-3275cd0f9a43?source=cve
- https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Http/Routes/api.php#L91
- https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Http/Policies/FormPolicy.php#L17
- https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/Integrations/MailChimp/MailChimp.php#L40
Frequently Asked Questions
What is the severity of CVE-2024-5053?
CVE-2024-5053 is classified as a critical vulnerability due to the possibility of unauthorized updates to Mailchimp API keys.
How do I fix CVE-2024-5053?
To fix CVE-2024-5053, upgrade the Fluent Forms plugin to version 5.1.19 or later.
What versions of the Fluent Forms plugin are affected by CVE-2024-5053?
All versions of the Fluent Forms plugin up to and including 5.1.18 are affected by CVE-2024-5053.
What specific functionality is compromised in CVE-2024-5053?
CVE-2024-5053 compromises the verifyRequest function, allowing unauthorized users to update Mailchimp API keys.
Is user data at risk due to CVE-2024-5053?
Yes, CVE-2024-5053 potentially exposes user data to unauthorized access due to the vulnerabilities in the Contact Form Plugin.
- agent/references
- agent/title
- agent/first-publish-date
- agent/type
- agent/description
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/softwarecombine
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/fluentforms
- canonical/fluent forms