Stored Cross-Site Scripting Vulnerability in Fluent Forms Plugin for WordPress
CVE-2025-3615
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 17 April 2025
What is CVE-2025-3615?
The Fluent Forms plugin used in WordPress is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping in its form-submission.js script. This vulnerability affects all versions up to and including 6.0.2, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. When users visit these compromised pages, the injected scripts can execute, potentially leading to unauthorized data access or site manipulation.
Affected Version(s)
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder * <= 6.0.2