CVE-2023-41952: 
WordPress vulnerability analysis and mitigation

The Contact Form for Plugin by Fluent Forms plugin for WordPress contains a Missing Authorization vulnerability (CVE-2023-41952) in versions up to and including 5.0.8. The vulnerability was discovered by Revan Arifio and publicly disclosed on September 8, 2023 (WPScan).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) issue within the addIsRenderableFilter() function. The flaw stems from missing validation on the publication status of a form, resulting in a CVSS score of 5.3 (medium severity). The vulnerability is categorized under OWASP Top 10 A5: Broken Access Control and CWE-639 (WPScan, Patchstack).

The vulnerability allows users to render and submit forms when they are in an 'unpublished' state, potentially bypassing intended access controls. This broken access control issue could lead to unprivileged users executing certain higher privileged actions (Patchstack).

The vulnerability has been fixed in version 5.0.9 of the Fluent Forms plugin. Users are advised to update to version 5.0.9 or later to remove the vulnerability. Patchstack users have the option to enable auto-update for vulnerable plugins (Patchstack).