Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.2
Fluent Forms Pro plugin exposes admin pages to malicious scripts
CVE-2026-2365
Summary
The Fluent Forms Pro plugin for WordPress has a security flaw that allows hackers to inject malicious code into admin pages. This is a risk because an attacker could access sensitive information or take control of the website. Update the plugin to version 6.1.18 or later to fix the issue.
Original title
The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fluentform_step_form_save_data` AJAX action in all versions up to, and including, 6.1.17. This is due...
Original description
The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fluentform_step_form_save_data` AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without authentication or nonce verification, combined with insufficient input sanitization and output escaping of form field data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views a partial form entry.
nvd CVSS3.1
7.2
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026