Missing Authorization Vulnerability in Fluent Forms for WordPress
CVE-2025-13722

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Vendor: CVE Published:; 7 January 2026

What is CVE-2025-13722?

The Fluent Forms plugin for WordPress suffers from a Missing Authorization vulnerability that affects all versions up to and including 6.1.7. This issue arises from inadequate capability checks on the fluentform_ai_create_form AJAX action, allowing authenticated attackers with at least Subscriber-level access to create arbitrary forms using the publicly accessible AI builder. This weakness can lead to unauthorized actions and potential misuse of the form creation feature, impacting site security and functionality.

Affected Version(s)

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder * <= 6.1.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3406804/flue...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 7, 2026
Vulnerability Reserved
Nov 25, 2025

Credit

Marcin Dudek

JSON