PT-2026-40561 · WordPress · Fluent Forms

Djaidja Moundjid

·

Published

2026-05-13

·

Updated

2026-05-13

·

CVE-2026-6828

CVSS v3.1

6.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Fluent Forms versions prior to 6.2.2
Description The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient input sanitization and output escaping within the permission message parameter. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page.
Recommendations Update to a version later than 6.2.1. As a temporary workaround, restrict the use of the permission message parameter until the update is applied.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-6828

Affected Products

Fluent Forms