CVE-2026-0996

Name of the Vulnerable Software and Affected Versions Fluent Forms plugin for WordPress versions prior to 6.1.15

Description The Fluent Forms plugin for WordPress is susceptible to Stored Cross-Site Scripting through the AI Form Builder module. This occurs because of missing authorization checks, a leaked nonce, and inadequate input sanitization. Subscriber-level users can initiate AI form generation through a protected endpoint. AI services may return JavaScript code without script tags, bypassing the plugin’s sanitization measures. This allows attackers with Subscriber-level access or higher to inject arbitrary web scripts that execute when anyone views the generated form. The AI Form Builder module is the component affected.

Recommendations Update the Fluent Forms plugin to version 6.1.15 or later.