WordPress Plugin Vulnerabilities

Fluent Forms < 6.1.8 - Subscriber+ Arbitrary Form Creation via AI Builder

Description

The plugin is vulnerable to Missing Authorization due to missing capability checks on the `fluentform_ai_create_form` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary forms via the publicly exposed AI builder.

Affects Plugins

Plugin icon
fluentform
Fixed in 6.1.8

References

CVE
CVE-2025-13722
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f7dbf179-7099-4dfb-8dad-780f996a7005

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Marcin Dudek (dudekmar)
Verified
No
WPVDB ID
7ffa4418-4f5b-4c3d-80c5-61ec3d7c687b

Timeline

Publicly Published
2026-01-06 (about 4 months ago)
Added
2026-01-07 (about 4 months ago)
Last Updated
2026-01-07 (about 4 months ago)

Other

Published
Title
Published
2025-03-06
Title
Golo - Directory & Listing, Travel WordPress Theme < 1.6.11 - Missing Authorization to Privilege Escalation via Unauthenticated Arbitrary User Password Change
Published
2024-10-14
Title
Htaccess File Editor < 1.0.19 - Missing Authorization
Published
2025-01-16
Title
Debug Tool <= 2.2 - Missing Authorization
Published
2026-01-18
Title
AJAX Hits Counter + Popular Posts Widget <= 0.10.210305 - Missing Authorization
Published
2023-12-26
Title
Essential Blocks for Gutenberg < 4.2.1 - Contributor+ Unauthorised Actions