CVE-2026-2365

HIGH

Fluent Forms Pro Add On Pack <= 6.1.17 - Unauthenticated Stored XSS via fluentform_step_form_save_data

Title source: llm

Description

The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fluentform_step_form_save_data` AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without authentication or nonce verification, combined with insufficient input sanitization and output escaping of form field data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views a partial form entry.

References (3)

Core 3

Core References

Various Sources

https://fluentforms.com/docs/changelog/#3-toc-title

Product

https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/app/Modules/Form/FormDataParser.php#L57

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/5e911b0a-a236-4df3-b997-3631412a1b55?source=cve

Scores

CVSS v3 7.2

EPSS 0.0026

EPSS Percentile 17.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

techjewel/Fluent Forms Pro Add On Pack < 6.1.17

Published Mar 05, 2026

Tracked Since Mar 05, 2026