CVE-2024-4709
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.16 - Authenticated (Contributor+) Stored Cross-Site ScriptingThe Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘subject’ parameter in versions up to, and including, 5.1.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, and access granted by an administrator, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 11,951 live websites that are affected by CVE-2024-4709.
Affected Software
| Product |  Fluentform |
| Category | Wordpress Plugins |
| Vulnerable Domains | 11,951 live websites (18.65% of Fluentform install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 92 versions ( 81.42% of all versions) |
Details
- Published - May 18, 2024
- Updated - Aug 1, 2024
Credits
- Tobias Weißhaar (finder)
CVE References
CVE-2024-4709 usage by Country
 United States | 4,358 websites |
 Germany | 1,486 websites |
 France | 766 websites |
 GB | 563 websites |
 Cyprus | 449 websites |
 Poland | 295 websites |
 Russia | 255 websites |
 Netherlands | 215 websites |
 South Africa | 214 websites |
 Australia | 180 websites |
CVE-2024-4709 usage by TLD
| .com | 5,101 websites |
| .de | 559 websites |
| .org | 510 websites |
| .co.uk | 403 websites |
| .com.au | 308 websites |
| .ru | 276 websites |
| .com.br | 258 websites |
| .net | 249 websites |
| .pl | 236 websites |
| .fr | 229 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-4709
Top websites that are affected by CVE-2024-4709. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***************************.***.mx | United States | *,*** | |
| *********************.com | United States | **,*** | |
| ****.com | United States | **,*** | |
| ************.com |  Indonesia | **,*** | |
| **********.com | France | **,*** | |
| ******.eu | Poland | **,*** | |
| *******.com | United States | **,*** | |
| **************.com | United States | **,*** | |
| ***********.com | United States | **,*** | |
| *****.com | United States | **,*** |
FAQ
A total of 11,951 websites have been identified as vulnerable to CVE-2024-4709, discovered through global website indexing conducted by WebTechSurvey.
Fluentform is susceptible to CVE-2024-4709 vulnerability.
Fluentform versions before, and including, 5.1.16 are vulnerable to CVE-2024-4709.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5fe317a6-a391-441a-aac8-c8fa57e73169?source=cve
- https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotification.php#L106
- https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotification.php#L164
- https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotification.php#L194
- https://plugins.trac.wordpress.org/changeset/3088078/