Blind Server-Side Request Forgery in FluentCRM Plugin for WordPress
CVE-2026-7798

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Fluentcrm – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, And Crm Solution
Vendor: CVE Published:; 22 May 2026

What is CVE-2026-7798?

The FluentCRM plugin for WordPress is susceptible to a Blind Server-Side Request Forgery vulnerability in all versions up to and including 2.9.87. This flaw arises from improper validation of the 'SubscribeURL' parameter, allowing unauthenticated attackers to send requests to arbitrary external locations. Such exploitation may facilitate unauthorized queries and alterations of sensitive information from internal services. It is imperative to note that successful exploitation is contingent upon the SES bounce handling key ('_fc_bounce_key') remaining unset, which occurs when the plugin is in a default configuration state. If the bounce handling settings have been accessed, a random key is generated, thus securing the system and blocking unauthorized attempts.

Affected Version(s)

FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution 0 <= 2.9.87

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/fluent-crm/tru...

https://plugins.trac.wordpress.org/browser/fluent-crm/tag...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
May 4, 2026

Credit

Saleh Elsayed

CVE-2026-7798 Data

JSON