Advisories have been issued regarding vulnerabilities discovered in two of the most popular WordPress contact form plugins, potentially affecting over 1.1 million installations. Users are advised to update their plugins to the latest versions.
Over 1 Million WordPress Contact Forms Installations
The affected contact form plugins are Ninja Forms, with over 800,000 installations, and Contact Form Plugin by Fluent Forms, with over 300,000 installations. The vulnerabilities are not related to each other and arise from separate security flaws.
Ninja Forms is affected by a failure to escape a URL which can lead to a reflected cross-site scripting attack (reflected XSS), and the Fluent Forms vulnerability is due to an insufficient capability check.
Ninja Forms Reflected Cross-Site Scripting
A Reflected Cross-Site Scripting vulnerability, which the Ninja Forms plugin is at risk for, can allow an attacker to target an admin level user at a website to gain their associated website privileges. It requires taking an extra step to trick an admin into clicking a link. This vulnerability is still undergoing assessment and has not been assigned a CVSS threat level score.
Fluent Forms Missing Authorization
The Fluent Forms contact form plugin is missing a capability check which could lead to unauthorized ability to modify an API (an API is a bridge between two different software that allows them to communicate with each other).
This vulnerability requires an attacker to first attain subscriber level authorization, which can be achieved on WordPress sites that have the subscriber registration feature turned on but is not possible for those that don’t. This vulnerability was assigned a medium threat level score of 4.2 (on a scale of 1 – 10).
Wordfence describes this vulnerability:
"The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized Malichimp API key update due to an insufficient capability check on the verifyRequest function in all versions up to, and including, 5.1.18.
This makes it possible for Form Managers with a Subscriber-level access and above to modify the Mailchimp API key used for integration. At the same time, missing Mailchimp API key validation allows the redirect of the integration requests to the attacker-controlled server."
Recommended Action
Users of both contact forms are recommended to update to the latest versions of each contact form plugin. The Fluent Forms contact form is currently at version 5.2.0. The latest version of Ninja Forms plugin is 3.8.14.
Read the NVD Advisory for Ninja Forms Contact Form plugin: CVE-2024-7354
Read the NVD advisory for the Fluent Forms contact form: CVE-2024
Read the Wordfence advisory on Fluent Forms contact form:
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.18 – Missing Authorization to Authenticated (Subscriber+) Mailchimp Integration Modification
Featured Image by Shutterstock/Cast Of Thousands