FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-9528

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Oct 5, 2024 / Updated: 46d ago

010
CVSS 4.9EPSS 0.07%Medium
CVE info copied to clipboard

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form label fields in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to edit forms (administrator by default), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9528

Oct 5, 2024 at 3:15 AM
CVSS

A CVSS base score of 4.9 has been assigned.

Oct 5, 2024 at 3:20 AM / nvd
First Article

Feedly found the first article mentioning CVE-2024-9528. See article

Oct 5, 2024 at 3:21 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 5, 2024 at 3:21 AM
EPSS

EPSS Score was set to: 0.07% (Percentile: 30.8%)

Oct 5, 2024 at 10:04 AM
Static CVE Timeline Graph

Affected Systems

Fluentforms/contact_form
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

News

WordPress Vulnerability & Patch Roundup October 2024
unSafe.sh - 不安全 / 18d
Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9528 Number of Installations: 500,000+ Affected Software: Contact Form Plugin by Fluent Forms <= 5.1.19 Patched Versions: Contact Form Plugin by Fluent Forms 5.1.20 Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8499 Number of Installations: 400,000+ Affected Software: Checkout Field Editor for WooCommerce <= 2.0.3 Patched Versions: Checkout Field Editor for WooCommerce 2.0.4
WordPress Vulnerability &amp; Patch Roundup October 2024
unSafe.sh - 不安全 / 18d
Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9528 Number of Installations: 500,000+ Affected Software: Contact Form Plugin by Fluent Forms <= 5.1.19 Patched Versions: Contact Form Plugin by Fluent Forms 5.1.20 Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8499 Number of Installations: 400,000+ Affected Software: Checkout Field Editor for WooCommerce <= 2.0.3 Patched Versions: Checkout Field Editor for WooCommerce 2.0.4
WordPress Vulnerability &amp; Patch Roundup October 2024
Sucuri Blog / 18d
Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9528 Number of Installations: 500,000+ Affected Software: Contact Form Plugin by Fluent Forms <= 5.1.19 Patched Versions: Contact Form Plugin by Fluent Forms 5.1.20 Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8499 Number of Installations: 400,000+ Affected Software: Checkout Field Editor for WooCommerce <= 2.0.3 Patched Versions: Checkout Field Editor for WooCommerce 2.0.4
WordPress FluentForm Plugin &lt;= 5.1.19 is vulnerable to Cross Site Scripting (XSS)
Vulners.com RSS Feed / 44d
Software FluentForm Type Plugin Vulnerable versions &lt;= 5.1.19 Fixed in 5.1.20 OWASP Top 10 A7: Cross-Site Scripting (XSS) Classification Cross Site Scripting (XSS) CVE CVE-2024-9528 Patch priority Low CVSS severity Low (5.9) Developer Claim ownership PSID 973bb3afee30 Credits Ivan Kuzymchak Required privilege Administrator Published 7 October, 2024 Vulnerability details Expand full details Have additional information or questions about this entry? Let us know. Solution This security issue has a low severity impact and is unlikely to be...
CVE-2024-9528
INCIBE-CERT - Vulnerabilities RSS / 45d
Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
See 8 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:High
Privileges Required:Low
User Interaction:None
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

CVSS 4.9(21798)CWE-79(31345)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial