CVE-2024-13666
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 5.2.12 - IP-Spoofing
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 5.2.12 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers spoof their IP address and submit forms that may have IP-based restrictions.
| CWE | CWE-20 |
| Vendor | techjewel |
| Product | fluent forms – customizable contact forms, survey, quiz, & conversational form builder |
| Published | Mar 22, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for techjewel fluent forms – customizable contact forms, survey, quiz, & conversational form builder
Be the first to know when new medium vulnerabilities affecting techjewel fluent forms – customizable contact forms, survey, quiz, & conversational form builder are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
techjewel / Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
0 ≤ 5.2.12
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/e06fe8e4-e27a-4492-b175-3b0846e4cf10?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3258647%40fluentform%2Ftrunk&old=3242624%40fluentform%2Ftrunk&sfp_email=&sfph_mail=
Credits
Khayal Farzaliyev