Missing Authorization Vulnerability in Fluent Forms for WordPress
CVE-2025-13722
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 7 January 2026
What is CVE-2025-13722?
The Fluent Forms plugin for WordPress suffers from a Missing Authorization vulnerability that affects all versions up to and including 6.1.7. This issue arises from inadequate capability checks on the fluentform_ai_create_form AJAX action, allowing authenticated attackers with at least Subscriber-level access to create arbitrary forms using the publicly accessible AI builder. This weakness can lead to unauthorized actions and potential misuse of the form creation feature, impacting site security and functionality.
Affected Version(s)
Fluent Forms β Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder 0 <= 6.1.7