CVE-2021-34620
HIGHWP Fluent Forms < 3.6.67 - Cross-Site Request Forgery leading to Stored Cross-Site Scripting and Privilege Escalation
Title source: llmDescription
The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_misc
https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Modules/Acl/Acl.php?rev=2196688
Exploit, Third Party Advisory x_refsource_misc
https://www.wordfence.com/blog/2021/06/cross-site-request-forgery-patched-in-wp-fluent-forms/
Scores
CVSS v3
8.8
EPSS
0.0263
EPSS Percentile
83.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-352
CWE-79
Status
published
Products (1)
fluentforms/contact_form
< 3.6.67
Published
Jul 07, 2021
Tracked Since
Feb 18, 2026