CVE-2026-7798

Name of the Vulnerable Software and Affected Versions FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution versions prior to 2.9.88

Description The plugin is susceptible to Blind Server-Side Request Forgery (SSRF), a flaw where an attacker can force the server to make HTTP requests to an arbitrary destination. This can be exploited by unauthenticated attackers via the SubscribeURL parameter to query or modify information from internal services. This issue is only exploitable if the SES bounce handling key fc bounce key has not been stored, which occurs when the site is in its default or unconfigured state regarding SES bounce handling. If the bounce configuration page is visited, a random key is generated and stored, which prevents unauthenticated requests.

Recommendations Update to a version newer than 2.9.87. As a temporary mitigation, ensure the SES bounce configuration page is visited to generate and store the fc bounce key.