PT-2026-40561 · WordPress · Fluent Forms
Djaidja Moundjid
·
Published
2026-05-13
·
Updated
2026-05-13
·
CVE-2026-6828
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Fluent Forms versions prior to 6.2.2
Description
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient input sanitization and output escaping within the
permission message parameter. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page.Recommendations
Update to a version later than 6.2.1.
As a temporary workaround, restrict the use of the
permission message parameter until the update is applied.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fluent Forms