CVE-2026-2365
Received Received - Intake
Stored XSS in Fluent Forms Pro via Unauthenticated AJAX Endpoint

Publication date: 2026-03-05

Last updated on: 2026-03-05

Assigner: Wordfence

Description
The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fluentform_step_form_save_data` AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without authentication or nonce verification, combined with insufficient input sanitization and output escaping of form field data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views a partial form entry.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2365
EUVD
EUVD-2026-9524
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpmet fluent_forms_pro to 6.1.17 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Fluent Forms Pro plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 6.1.17. This vulnerability exists because the draft form submission endpoint is publicly accessible without requiring authentication or nonce verification. Additionally, the plugin does not sufficiently sanitize input or escape output for form field data. As a result, an unauthenticated attacker can inject arbitrary web scripts that will execute whenever an administrator views a partial form entry.

Impact Analysis

This vulnerability allows unauthenticated attackers to inject malicious scripts into form entries that administrators view. When an administrator opens a partial form entry containing the injected script, the script executes in their browser context. This can lead to theft of administrator credentials, session hijacking, or other malicious actions performed with administrator privileges. The vulnerability has a CVSS v3.1 base score of 7.2, indicating a high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves the publicly accessible AJAX action `fluentform_step_form_save_data` in the Fluent Forms Pro WordPress plugin, which allows unauthenticated attackers to submit data without nonce verification.

To detect exploitation attempts on your network or system, you can monitor HTTP requests targeting the AJAX endpoint related to Fluent Forms Pro, specifically requests to URLs containing `fluentform_step_form_save_data`.

Suggested commands include using network traffic inspection tools or web server logs to search for such requests. For example, on a Linux server, you can use the following command to search your web server access logs for suspicious POST requests:

  • grep -i 'fluentform_step_form_save_data' /var/log/apache2/access.log
  • grep -i 'fluentform_step_form_save_data' /var/log/nginx/access.log

Additionally, monitoring for unusual or unexpected POST requests to this endpoint from unauthenticated sources can help detect attempts to exploit the vulnerability.

Mitigation Strategies

Immediate mitigation steps include updating the Fluent Forms Pro plugin to a version later than 6.1.17 where this vulnerability is fixed.

If an immediate update is not possible, restrict access to the AJAX endpoint `fluentform_step_form_save_data` by implementing authentication or firewall rules to block unauthenticated requests.

Additionally, review and harden your WordPress installation's security settings, including limiting administrator access and monitoring for suspicious activity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2365. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart