CVE-2025-13722
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to create arbitrary forms via the Fluent Forms AI builder due to missing authorization checks. All WordPress sites using Fluent Forms plugin versions up to 6.1.7 are affected. Attackers can exploit this to create malicious forms that could collect sensitive data or redirect users.
💻 Affected Systems
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers create phishing forms to steal user credentials, payment information, or personal data, potentially leading to data breaches and account compromise.
Likely Case
Attackers create spam forms, redirect forms, or forms that collect unnecessary user data, disrupting site functionality and user experience.
If Mitigated
With proper user role management and monitoring, impact is limited to minor site disruption from unauthorized form creation.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via AJAX requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.1.8
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3406804/fluentform/tags/6.1.8/app/Modules/Ai/AiFormBuilder.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Fluent Forms plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 6.1.8+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Fluent Forms AI Builder
allTemporarily disable the vulnerable AI form builder functionality
Add to wp-config.php: define('FLUENTFORM_DISABLE_AI_BUILDER', true);
Restrict User Registration
allTemporarily disable new user registration to prevent attacker account creation
In WordPress admin: Settings > General > Membership: Uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement strict user role management - review and remove unnecessary Subscriber accounts
- Monitor form creation logs and WordPress activity logs for unauthorized form creation attempts
🔍 How to Verify
Check if Vulnerable:
Check Fluent Forms plugin version in WordPress admin: Plugins > Installed Plugins. If version is 6.1.7 or lower, you are vulnerable.Check Version:
wp plugin list --name=fluentform --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify plugin version shows 6.1.8 or higher in WordPress admin plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual form creation activity, especially from Subscriber accounts
- AJAX requests to /wp-admin/admin-ajax.php with action=fluentform_ai_create_form
Network Indicators:
- POST requests to admin-ajax.php with fluentform_ai_create_form parameter from non-admin users
SIEM Query:
source="wordpress.logs" action="fluentform_ai_create_form" user_role="subscriber"