CVE-2024-13666
MEDIUM EPSS 18.3%
Published Mar 22, 20251y ago · Modified Jun 17, 20261w ago
5.3 CVSS 3.1
Published Mar 22, 2025 1y ago
Last Modified Jun 17, 2026 1w ago
Description
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 5.2.12 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers spoof their IP address and submit forms that may have IP-based restrictions.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Low
Availability None
Threat Intelligence
EPSS Exploit Probability
18.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-20 Improper Input Validation Validation
References 2
- plugins.trac.wordpress.org https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3258647%40fluentform%2Ftrunk&old=3242624%40fluentform%2Ftrunk&sfp_email=&sfph_mail=
- wordfence.com https://www.wordfence.com/threat-intel/vulnerabilities/id/e06fe8e4-e27a-4492-b175-3b0846e4cf10?source=cve
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.