CVE-2024-4157

Name of the Vulnerable Software and Affected Versions The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress versions up to, and including, 5.1.15

Description The issue is related to PHP Object Injection via deserialization of untrusted input in the extractDynamicValues function. This allows authenticated attackers with contributor-level access and above to inject a PHP Object. If a POP chain is present via an additional plugin or theme, it could enable the attacker to delete arbitrary files, retrieve sensitive data, or execute code. Successful exploitation requires the attacker to have "View Form" and "Manage Form" permissions.

Recommendations For versions up to, and including, 5.1.15, consider disabling the extractDynamicValues function as a temporary workaround until a patch is available. Restrict access to the plugin to minimize the risk of exploitation, ensuring that only trusted users have "View Form" and "Manage Form" permissions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.