CVE-2024-5053
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.18 - Missing Authorization to Authenticated (Subscriber+) Mailchimp Integration ModificationThe Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized Malichimp API key update due to an insufficient capability check on the verifyRequest function in all versions up to, and including, 5.1.18. This makes it possible for Form Managers with a Subscriber-level access and above to modify the Mailchimp API key used for integration. At the same time, missing Mailchimp API key validation allows the redirect of the integration requests to the attacker-controlled server.
We have discovered 6,793 live websites that are affected by CVE-2024-5053.
Affected Software
| Product |  Fluentform |
| Category | Wordpress Plugins |
| Vulnerable Domains | 6,793 live websites (7.76% of Fluentform install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 57 versions ( 58% of all versions) |
Common Weakness Enumeration
CWE-285 Improper AuthorizationDetails
- Published - Sep 1, 2024
- Updated - Apr 8, 2026
Credits
- Tobias Weißhaar (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2024-5053 United States | 1,694 websites |
 Germany | 686 websites |
 France | 475 websites |
 GB | 388 websites |
 India | 220 websites |
 Poland | 201 websites |
 Italy | 199 websites |
 Brazil | 165 websites |
 Australia | 162 websites |
 Russia | 155 websites |
Website Distribution by TLD
Number of websites using CVE-2024-5053| .com | 2,752 websites |
| .de | 341 websites |
| .org | 294 websites |
| .co.uk | 232 websites |
| .fr | 156 websites |
| .pl | 156 websites |
| .com.au | 154 websites |
| .com.br | 149 websites |
| .net | 140 websites |
| .it | 139 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-5053
Top websites that are affected by CVE-2024-5053. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********************.com | United States | **,*** | |
| ************.com |  Indonesia | **,*** | |
| **********.com | United States | **,*** | |
| *******.com | United States | **,*** | |
| **************.com | United States | **,*** | |
| ******************.com | United States | **,*** | |
| ***.ci | United States | **,*** | |
| ***********.com | United States | ***,*** | |
| ***********.com | United States | ***,*** | |
| *******.com |  Singapore | ***,*** |
FAQ
CVE-2024-5053 is Improper Authorization in Fluentform
A total of 6,793 websites have been identified as vulnerable to CVE-2024-5053, based on global website indexing conducted by WebTechSurvey.
The Fluentform is affected by the CVE-2024-5053 vulnerability.
Fluentform versions up to and including 5.1.18 are vulnerable to CVE-2024-5053.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8242e0f0-b9c5-46fe-b691-3275cd0f9a43?source=cve
- https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Http/Routes/api.php#L91
- https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Http/Policies/FormPolicy.php#L17
- https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/Integrations/MailChimp/MailChimp.php#L40