WordPress Plugin Vulnerabilities

Fluent Forms < 6.1.15 - Subscriber+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the AI Form Builder module due to a combination of missing authorization checks, a leaked nonce, and insufficient input sanitization. The vulnerability allows Subscriber-level users to trigger AI form generation via a protected endpoint. When prompted, AI services will typically return bare JavaScript code (without <script> tags), which bypasses the plugin's sanitization. This stored JavaScript executes whenever anyone views the generated form, making it possible for authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts that will execute in the context of any user accessing the form.

Affects Plugins

Plugin icon
fluentform
Fixed in 6.1.15

References

CVE
CVE-2026-0996
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/00192a36-4b75-4dae-9a6e-0afb02ed5bad

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.4 (high)

Miscellaneous

Original Researcher
Osvaldo Noe Gonzalez Del Rio (Os)
Verified
No
WPVDB ID
760f542f-fc5d-4490-bb58-dc8103bdd0aa

Timeline

Publicly Published
2026-02-09 (about 3 months ago)
Added
2026-02-09 (about 3 months ago)
Last Updated
2026-02-09 (about 3 months ago)

Other

Published
Title
Published
2014-08-01
Title
Wordpress 2.8.1 - URL Remote Cross-Site Scripting (XSS)
Published
2025-06-25
Title
web-cam < 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via slug Parameter
Published
2024-11-08
Title
Pull This <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-10-03
Title
Podcast Subscribe Buttons < 1.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-02-28
Title
System Dashboard < 2.8.10 - XSS via Header Injection