Fluent Forms, a widely used WordPress plugin that has been installed more than 500,000 times, is known for its advanced and lightweight contact form builder. With features such as drag-and-drop customization, conditional logic, and anti-spam, it has become a staple for both businesses and developers. However, such popularity also makes it an object for exploitation. The vulnerability associated with the persistence of cross-site scripting (XSS) CVE-2024-9651 in older versions of Fluent Forms pages poses a significant risk, potentially allowing attackers to introduce backdoors and compromise entire websites.
Version 5.2.5 of Fluent Forms has received a plugin Security Certificate (PSC), which guarantees users that this version is verified as secure.
| CVE | CVE-2024-9651 |
| Plugin | Fluent Forms < 5.2.1 |
| Critical | Medium |
| All Time | 8 655 627 |
| Active installations | 500 000+ |
| Publicly Published | November 19, 2024 |
| Last Updated | November 19, 2024 |
| Researcher | Artyom Krugov |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9651 https://wpscan.com/vulnerability/a2c56e42-3b3a-4e23-933f-40cf63e222c0/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| September 9, 2024 | Plugin testing and vulnerability detection in the Fluent Forms have been completed |
| September 9, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 19, 2024 | Registered CVE-2024-9651 |
Discovery of the Vulnerability
The stored XSS vulnerability in Fluent Forms 5.2.1 was discovered during a routine security review. The issue lies in the “Custom Error Message” field under form configurations. This field allows administrators to set custom error messages for user inputs. However, inadequate sanitization of this field creates an opening for attackers to inject malicious scripts.
When saved and executed, XSS payload triggers a malicious script whenever the form is rendered or interacted with. Such exploits can lead to severe consequences, including data theft, unauthorized access, and the installation of backdoors.
Understanding of XSS attack’s
Stored XSS occurs when a malicious script is injected into an application and stored on the server. This script is then served to other users, often executing in their browsers as part of the legitimate content. In WordPress, stored XSS is particularly dangerous because plugins like Fluent Forms often have administrative privileges, amplifying the potential damage.
Exploiting the XSS Vulnerability
To exploit this vulnerability, an attacker only needs access to the form settings. Here’s a step-by-step breakdown:
POC:
- Access Fluent Forms: Navigate to the plugin’s settings in the WordPress dashboard.
- Create a New Form: Click “Add New Form” and select a template, such as “Graphic Designer Contact.”
- Inject the Payload: Edit the “Your Email” field and place the malicious payload in the “Custom Error Message” field.
- Save the Form: Save the form settings.
- Trigger the Exploit: Use the shortcode to embed the form on a page or post. When a user interacts with the form, the stored XSS payload is executed.
PoC Payload: "><script></script><img src=x onerror=alert(/testXSS/)>____
This simplicity underscores the danger of stored XSS vulnerabilities, particularly in widely used plugins like Fluent Forms.
Recommendations for Improved Security
CVE-2024-9651 serves as a reminder of the importance of vigilance in plugin development and usage. While Fluent Forms is a powerful and versatile tool, its widespread adoption makes it a prime target for exploitation.
Thankfully, version 5.2.5 addresses this vulnerability and provides users with peace of mind through its PSC certification. By staying updated and following best practices, WordPress administrators can continue leveraging Fluent Forms’ features without compromising security. Let this be a call to action for all developers and users to prioritize security in every aspect of their digital presence.
An article on preventing Cross-Site Scripting vulnerabilities
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-9651, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #Vulnerability
Use CleanTalk solutions to improve the security of your website
Artyom k.
