CVE-2024-2771: Unauthenticated Attackers Can Hijack 400K+ WordPress Sites via Fluent Forms Bug

Bar Refael

May 21, 2024

A security vulnerability has been discovered in Fluent Forms, a popular WordPress plugin with over 400,000 active installations. This vulnerability, designated as CVE-2024-2771, enables unauthenticated attackers to grant themselves or others administrative access to the plugin, potentially leading to website defacement, data theft, and disruption of website operations.


  • Vulnerability: Missing Authorization to Settings Update and Limited Privilege Escalation
  • Software: Fluent Forms
  • Affected Versions: Up to version 5.1.16
  • Impact: Unauthorized access, website defacement, data theft, disruption of website operations

This critical flaw (CVSS 9.8) allows attackers to manipulate settings and data without authentication, posing a significant risk to websites using the plugin.

Mitigation Steps:

  • Update Software: Immediately update Fluent Forms to version 5.1.17 or later.
  • Regular Backups: Regularly back up your website data.
  • Strong Password Policies: Implement strong password policies.
  • Web Application Firewalls (WAFs): Use WAFs to protect against common attacks.
  • Monitor Activity: Monitor your website for suspicious activity.

Stay Secure. Stay Informed.

OP Innovate Research Team.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Get OP Innovate CTI Alerts

Leave your email and get critical updates and alerts straight to your inbox