CVE-2026-2365
📋 TL;DR
The Fluent Forms Pro WordPress plugin has a stored XSS vulnerability that allows unauthenticated attackers to inject malicious scripts into draft form submissions. These scripts execute when WordPress administrators view partial form entries, potentially compromising admin sessions. All WordPress sites using Fluent Forms Pro versions up to 6.1.17 are affected.
💻 Affected Systems
- Fluent Forms Pro WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to WordPress sites, install backdoors, steal sensitive data, or deface websites by hijacking admin sessions.
Likely Case
Attackers steal administrator session cookies or credentials, leading to unauthorized access and potential site compromise.
If Mitigated
With proper input validation and output escaping, malicious scripts are neutralized before execution, preventing session hijacking.
🎯 Exploit Status
Exploitation requires no authentication and minimal technical skill due to publicly accessible AJAX endpoint with insufficient security controls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.1.18 or later
Vendor Advisory: https://fluentforms.com/docs/changelog/#3-toc-title
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Fluent Forms Pro and click 'Update Now'. 4. Verify version is 6.1.18 or higher.
🔧 Temporary Workarounds
Disable Fluent Forms Pro Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate fluentform-pro
Restrict AJAX Endpoint Access
linuxAdd .htaccess rules to block access to vulnerable AJAX endpoint
RewriteEngine On
RewriteRule ^wp-admin/admin-ajax\.php\?action=fluentform_step_form_save_data - [F]
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block XSS payloads targeting the fluentform_step_form_save_data endpoint
- Restrict administrative access to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Fluent Forms Pro version. If version is 6.1.17 or lower, system is vulnerable.Check Version:
wp plugin get fluentform-pro --field=versionVerify Fix Applied:
Verify Fluent Forms Pro version is 6.1.18 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=fluentform_step_form_save_data containing script tags or JavaScript payloads
- Multiple failed authentication attempts followed by successful admin access
Network Indicators:
- HTTP POST requests to WordPress AJAX endpoint with malicious payloads in form data
SIEM Query:
source="web_access_logs" AND uri="/wp-admin/admin-ajax.php" AND query="action=fluentform_step_form_save_data" AND (body="<script>" OR body="javascript:")