CVE-2024-0618 in Fluent Forms Plugin
Summary
by MITRE • 01/27/2024
The Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via imported form titles in all versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/11/2026
The vulnerability identified as CVE-2024-0618 affects the Fluent Forms plugin for WordPress, specifically targeting versions up to and including 5.1.5. This represents a critical stored cross-site scripting vulnerability that exploits the plugin's handling of imported form titles within the WordPress administration interface. The flaw resides in the insufficient sanitization of user input and inadequate output escaping mechanisms that fail to properly validate or encode potentially malicious content before it is stored in the database and subsequently rendered in web pages. The vulnerability's impact is particularly severe because it requires only administrator-level access to exploit, making it a prime target for attackers seeking to compromise high-privilege accounts within WordPress environments.
The technical exploitation of this vulnerability occurs through the import functionality of the plugin where form titles can contain malicious script payloads that are not properly sanitized during the import process. When these imported form titles are displayed in the WordPress admin interface or rendered on public pages, the stored scripts execute in the context of other users' browsers who access these pages. This creates a persistent threat vector where attackers can establish backdoors, steal session cookies, perform unauthorized actions on behalf of users, or redirect victims to malicious sites. The vulnerability specifically affects multi-site WordPress installations and environments where the unfiltered_html capability has been disabled, indicating that the protection mechanisms that would normally prevent such attacks are either bypassed or insufficiently implemented.
The operational impact of CVE-2024-0618 extends beyond simple script execution as it enables attackers to leverage the administrator privileges to manipulate the entire WordPress installation. This vulnerability can be used to create persistent access points, modify content, install malicious plugins, or even compromise the underlying server infrastructure. The attack surface is particularly concerning in multi-site environments where a single compromised form could potentially affect multiple sites within the network. This aligns with ATT&CK technique T1566.001 for initial access through valid accounts and T1059.001 for execution through command and scripting interpreter, as attackers can establish persistent access through the stored XSS payload. The vulnerability also relates to CWE-79 which describes cross-site scripting flaws, and CWE-20 which covers improper input validation.
Mitigation strategies for CVE-2024-0618 require immediate action including updating to the patched version of the Fluent Forms plugin, which should be verified to contain proper input sanitization and output escaping mechanisms. Organizations should implement additional security measures such as restricting administrative access to trusted users only, implementing web application firewalls with XSS detection capabilities, and conducting regular security audits of plugin installations. The principle of least privilege should be enforced where possible, limiting the ability of users to import forms or modify plugin configurations. Network segmentation and monitoring should be enhanced to detect anomalous activities that might indicate exploitation attempts. Security professionals should also consider implementing Content Security Policy headers to add an additional layer of protection against script injection attacks, and establish regular vulnerability scanning procedures to identify similar issues in other plugins or themes within the WordPress ecosystem.