CVE-2026-2365
Stored XSS in Fluent Forms Pro via Unauthenticated AJAX Endpoint
Publication date: 2026-03-05
Last updated on: 2026-03-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpmet | fluent_forms_pro | to 6.1.17 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Fluent Forms Pro plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 6.1.17. This vulnerability exists because the draft form submission endpoint is publicly accessible without requiring authentication or nonce verification. Additionally, the plugin does not sufficiently sanitize input or escape output for form field data. As a result, an unauthenticated attacker can inject arbitrary web scripts that will execute whenever an administrator views a partial form entry.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to inject malicious scripts into form entries that administrators view. When an administrator opens a partial form entry containing the injected script, the script executes in their browser context. This can lead to theft of administrator credentials, session hijacking, or other malicious actions performed with administrator privileges. The vulnerability has a CVSS v3.1 base score of 7.2, indicating a high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the publicly accessible AJAX action `fluentform_step_form_save_data` in the Fluent Forms Pro WordPress plugin, which allows unauthenticated attackers to submit data without nonce verification.
To detect exploitation attempts on your network or system, you can monitor HTTP requests targeting the AJAX endpoint related to Fluent Forms Pro, specifically requests to URLs containing `fluentform_step_form_save_data`.
Suggested commands include using network traffic inspection tools or web server logs to search for such requests. For example, on a Linux server, you can use the following command to search your web server access logs for suspicious POST requests:
- grep -i 'fluentform_step_form_save_data' /var/log/apache2/access.log
- grep -i 'fluentform_step_form_save_data' /var/log/nginx/access.log
Additionally, monitoring for unusual or unexpected POST requests to this endpoint from unauthenticated sources can help detect attempts to exploit the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Fluent Forms Pro plugin to a version later than 6.1.17 where this vulnerability is fixed.
If an immediate update is not possible, restrict access to the AJAX endpoint `fluentform_step_form_save_data` by implementing authentication or firewall rules to block unauthenticated requests.
Additionally, review and harden your WordPress installation's security settings, including limiting administrator access and monitoring for suspicious activity.