PT-2026-23129 · WordPress · Fluent Forms Pro
Prickly Cactus
·
Published
2026-03-05
·
Updated
2026-03-08
·
CVE-2026-2365
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Fluent Forms Pro versions up to and including 6.1.17
Description
The Fluent Forms Pro plugin for WordPress is susceptible to Stored Cross-Site Scripting through the
fluentform step form save data AJAX action. The draft form submission endpoint is publicly accessible without authentication or nonce verification. Insufficient input sanitization and output escaping of form field data allows unauthenticated attackers to inject arbitrary web scripts. These scripts execute when an administrator views a partial form entry.Recommendations
Fluent Forms Pro versions prior to 6.1.17 should be updated.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fluent Forms Pro