WordPress Plugin Vulnerabilities

FluentForm < 6.1.12 - Unauthenticated Arbitrary Shortcode Execution

Description

The plugin is vulnerable to arbitrary shortcode execution due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Affects Plugins

Plugin icon
fluentform
Fixed in 6.1.12

References

CVE
CVE-2025-69001
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2e5602b2-c1ed-40a5-8186-3ab1b5e32f7f

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Kishan Vyas
Verified
No
WPVDB ID
4eea9938-4c19-4757-b469-9a0fad1ef3e5

Timeline

Publicly Published
2026-01-13 (about 4 months ago)
Added
2026-02-04 (about 3 months ago)
Last Updated
2026-02-04 (about 3 months ago)

Other

Published
Title
Published
2025-08-18
Title
Cloudflare Image Resizing < 1.5.7 - Missing Authentication to Unauthenticated Remote Code Execution via rest_pre_dispatch Hook
Published
2023-09-26
Title
Ni Purchase Order(PO) For WooCommerce < 1.2.2 - Admin+ File Upload to Remote Code Execution
Published
2026-03-23
Title
Woocommerce Custom Product Addons Pro < 5.4.2 - Unauthenticated Remote Code Execution via Custom Pricing Formula
Published
2024-12-20
Title
kk Star Ratings – Rate Post & Collect User Feedbacks < 5.4.10.2 - Unauthenticated Arbitrary Shortcode Execution
Published
2024-08-07
Title
WooCommerce Product Table Lite < 3.8.6 - Unauthenticated Arbitrary Shortcode Execution