Stored Cross-Site Scripting Risk in Fluent Forms Pro Plugin for WordPress
CVE-2026-2365
7.2HIGH
What is CVE-2026-2365?
The Fluent Forms Pro plugin for WordPress contains a vulnerability that exposes the fluentform_step_form_save_data AJAX action. This exposure enables unauthenticated attackers to execute stored cross-site scripting attacks by injecting arbitrary web scripts through the publicly accessible draft form submission endpoint, which lacks proper authentication and nonce verification. Furthermore, insufficient input sanitization and output escaping of form field data increase the risk, allowing malicious scripts to execute whenever an administrator views a partial form entry.
Affected Version(s)
Fluent Forms Pro Add On Pack 0 <= 6.1.17