CVE-2026-0632
📋 TL;DR
The Fluent Forms Pro Add On Pack plugin for WordPress has a Server-Side Request Forgery vulnerability that allows authenticated users with Subscriber-level access or higher to make arbitrary web requests from the server. This could enable attackers to query or modify internal services. All WordPress sites using this plugin up to version 6.1.12 are affected.
💻 Affected Systems
- Fluent Forms Pro Add On Pack for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, exfiltrate sensitive data, or pivot to attack other internal systems from the compromised WordPress server.
Likely Case
Attackers with subscriber accounts could probe internal networks, access internal APIs, or perform limited data exfiltration from services reachable from the WordPress server.
If Mitigated
With proper network segmentation and authentication controls, impact would be limited to services in the same network segment as the WordPress server.
🎯 Exploit Status
Exploitation requires authenticated access but only at Subscriber level, which is the lowest WordPress user role with login capabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.1.13 or later
Vendor Advisory: https://fluentforms.com/docs/changelog/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Fluent Forms Pro Add On Pack. 4. Click 'Update Now' if update is available. 5. Alternatively, download latest version from vendor and upload via FTP.
🔧 Temporary Workarounds
Disable vulnerable functionality
allTemporarily disable the saveDataSource functionality or restrict access to affected endpoints
Add to wp-config.php: define('FLUENTFORMS_PRO_DISABLE_SSRF', true);
Restrict user roles
allRemove Subscriber role access or elevate authentication requirements
Use WordPress role management plugins to modify capabilities
🧯 If You Can't Patch
- Implement network segmentation to isolate WordPress server from internal services
- Deploy web application firewall rules to block SSRF patterns and restrict outbound requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → Fluent Forms Pro Add On Pack versionCheck Version:
wp plugin list --name='Fluent Forms Pro Add On Pack' --field=versionVerify Fix Applied:
Verify plugin version is 6.1.13 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=saveDataSource
- Outbound requests from WordPress server to internal IP ranges
Network Indicators:
- WordPress server making unexpected HTTP requests to internal services
- Traffic from WordPress server to non-standard ports
SIEM Query:
source="wordpress-logs" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters CONTAINS "saveDataSource")