CVE-2024-13666

MEDIUM EPSS 18.3%
Published Mar 22, 20251y ago · Modified Jun 17, 20261w ago
5.3 CVSS 3.1
Medium
Find Similar
Published Mar 22, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 5.2.12 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers spoof their IP address and submit forms that may have IP-based restrictions.

CVSS Details

Base Score
5.3
Exploitability
3.9
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
18.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-20 Improper Input Validation Validation

References 2

  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3258647%40fluentform%2Ftrunk&old=3242624%40fluentform%2Ftrunk&sfp_email=&sfph_mail=
  • wordfence.com https://www.wordfence.com/threat-intel/vulnerabilities/id/e06fe8e4-e27a-4492-b175-3b0846e4cf10?source=cve

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.