Stored Cross-Site Scripting Vulnerability in Fluent Forms Plugin for WordPress
CVE-2025-3615

6.4MEDIUM

Key Information:

Vendor

WordPress
Status
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Vendor
CVE Published:
17 April 2025

What is CVE-2025-3615?

The Fluent Forms plugin used in WordPress is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping in its form-submission.js script. This vulnerability affects all versions up to and including 6.0.2, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. When users visit these compromised pages, the injected scripts can execute, potentially leading to unauthorized data access or site manipulation.

Affected Version(s)

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder * <= 6.0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/fluentform/tag...
https://wordpress.org/plugins/fluentform/#developers

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Asaf Mozes
.