CVE-2024-2771

Name of the Vulnerable Software and Affected Versions The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress versions up to, and including, 5.1.16

Description The issue is related to a missing capability check on the "/wp-json/fluentform/v1/managers" REST API endpoint. This allows unauthenticated attackers to grant users with Fluent Form management permissions, giving them access to all of the plugin's settings and features. Additionally, it enables unauthenticated attackers to delete manager accounts.

Recommendations For versions up to, and including, 5.1.16, update to a version higher than 5.1.16 to resolve the issue. As a temporary workaround, consider restricting access to the "/wp-json/fluentform/v1/managers" API endpoint until a patch is available.