CVE-2024-2771: 
WordPress vulnerability analysis and mitigation

The Contact Form Plugin by Fluent Forms for WordPress (CVE-2024-2771) contains a critical privilege escalation vulnerability affecting versions up to 5.1.16. The vulnerability stems from a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint, discovered and disclosed on May 18, 2024 (NVD, SecurityOnline).

The vulnerability is rated as Critical with a CVSS v3.1 score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The security flaw is classified under CWE-862 (Missing Authorization) and affects the REST API endpoint that manages plugin permissions. The vulnerability allows unauthenticated attackers to manipulate user permissions and access plugin settings without proper authorization (NVD).

The vulnerability affects over 400,000 active WordPress installations using the Fluent Forms plugin. Successful exploitation allows unauthenticated attackers to grant themselves or others administrative access to the plugin's settings and features, as well as delete manager accounts. This can lead to complete plugin compromise and potential website takeover (SecurityOnline).

The vulnerability has been patched in version 5.1.17 of the Fluent Forms plugin. Website administrators are strongly urged to update to this version immediately. The fix implements proper authorization checks in the RoleManagerPolicy.php file (WPScan).