CVE-2026-7798
Received Received - Intake
Blind SSRF in FluentCRM WordPress Plugin

Publication date: 2026-05-22

Last updated on: 2026-05-22

Assigner: Wordfence

Description
The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.9.87 via the 'SubscribeURL' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires that the SES bounce handling key ('_fc_bounce_key') has never been stored (i.e., the site is in its default/unconfigured state with respect to SES bounce handling) as visiting the bounce configuration page auto-generates and stores a random key that causes the authentication check to evaluate correctly and reject unauthenticated requests.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-22
Last Modified
2026-05-22
Generated
2026-06-11
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-10
NVD
CVE-2026-7798
EUVD
EUVD-2026-31418
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fluentcrm fluentcrm to 2.9.87 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the FluentCRM WordPress plugin up to version 2.9.87 and is a Blind Server-Side Request Forgery (SSRF) via the 'SubscribeURL' parameter.

This flaw allows unauthenticated attackers to make web requests from the web application to arbitrary locations, potentially querying and modifying information from internal services.

Exploitation is only possible if the SES bounce handling key ('_fc_bounce_key') has never been stored, which is the case when the site is in its default or unconfigured state regarding SES bounce handling.

Visiting the bounce configuration page generates and stores a random key that prevents unauthenticated requests from succeeding.

Compliance Impact

The vulnerability allows unauthenticated attackers to make web requests to arbitrary locations from the web application, potentially querying and modifying information from internal services.

Such unauthorized access and potential data modification could lead to breaches of confidentiality and integrity, which are critical aspects of compliance with standards like GDPR and HIPAA.

However, the provided information does not explicitly describe the direct impact on compliance with these regulations.

Impact Analysis

This vulnerability can allow attackers to make unauthorized web requests from your server to arbitrary locations.

Such actions can be used to query and modify information from internal services that are otherwise not accessible externally.

This could lead to unauthorized data access or manipulation within your internal network.

Mitigation Strategies

To mitigate this vulnerability, ensure that the SES bounce handling key ('_fc_bounce_key') is generated and stored by visiting the bounce configuration page in the FluentCRM plugin. This action causes the authentication check to evaluate correctly and reject unauthenticated requests, preventing exploitation.

Additionally, consider updating the FluentCRM plugin to a version later than 2.9.87 where this vulnerability is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7798. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart