Stored Cross-Site Scripting in Fluent Forms Plugin for WordPress
CVE-2026-0996
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 10 February 2026
What is CVE-2026-0996?
The Fluent Forms plugin exposes a severe vulnerability via its AI Form Builder module, allowing authenticated users with Subscriber-level access to exploit stored cross-site scripting (XSS). This flaw arises from insufficient authorization checks, a leaked nonce, and inadequate input sanitization. By triggering AI form generation through a protected endpoint, attackers can inject malicious JavaScript into forms. This code executes whenever a user views the affected form, creating a risk for any visitor and leading to potential data compromise and other malicious activities.
Affected Version(s)
Fluent Forms β Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder 0 <= 6.1.14