Two popular WordPress contact form plugins, Ninja Forms and Contact Form Plugin by Fluent Forms, have been found vulnerable to separate security flaws. The issue affects over 1.1 million installations of the plugins.
Ninja Forms is at risk for a reflected cross-site scripting (XSS) attack that could allow an attacker to gain administrator-level access on a website. This vulnerability has not been assigned a CVSS threat level score yet.
The other plugin, Contact Form Plugin by Fluent Forms, has a missing capability check that allows unauthorized modification of the Mailchimp API key used for integration. This requires subscriber-level authorization and is considered a medium-threat vulnerability with a score of 4.2 (out of 10).
To mitigate these vulnerabilities, users are advised to update both plugins to their latest versions: Ninja Forms to version 3.8.14 and Fluent Forms to version 5.2.0.
Read the NVD Advisory for Ninja Forms Contact Form plugin: CVE-2024-7354
Read the NVD advisory for the Fluent Forms contact form: CVE-2024
Read the Wordfence advisory on Fluent Forms contact form: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.18 – Missing Authorization to Authenticated (Subscriber+) Mailchimp Integration Modification
Source: https://www.searchenginejournal.com/wordpress-contact-form-vulnerabilities/526057/