CVE-2026-2365

Sažetak

The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fluentform_step_form_save_data` AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without authentication or nonce verification, combined with insufficient input sanitization and output escaping of form field data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views a partial form entry.

Reference

https://fluentforms.com/docs/changelog/#3-toc-title
https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/app/Modules/Form/FormDataParser.php#L57
https://www.wordfence.com/threat-intel/vulnerabilities/id/5e911b0a-a236-4df3-b997-3631412a1b55?source=cve

CVSS

Base:	7.2
Impact:	2.7
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	LOW	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Zadnje važnije ažuriranje

05-03-2026 - 19:38

Objavljeno

05-03-2026 - 04:15