Atomic Edge analysis of CVE-2025-69001:
The Fluent Forms WordPress plugin contains an unauthenticated arbitrary shortcode execution vulnerability in versions up to and including 6.1.11. The vulnerability exists in the form submission confirmation handler, allowing attackers to execute arbitrary WordPress shortcodes via unsanitized user input. This issue received a CVSS score of 6.5 (Medium severity) and affects the core form processing functionality.

Atomic Edge research identified the root cause in the FormHandler.php and SubmissionHandlerService.php files. The vulnerability occurs when processing form submissions with ‘samePage’ confirmation redirects. In the vulnerable code, the plugin passes unsanitized user-controlled data from the ‘messageToShow’ parameter directly to the do_shortcode() function at lines 279 and 327 in FormHandler.php. The plugin retrieves this data from form submissions without proper validation, allowing attackers to inject malicious shortcode payloads. The getReturnData() method in SubmissionHandlerService.php at line 310 processes this data, and the ShortCodeParser::parse() function at line 325 executes the shortcodes.

The exploitation method involves submitting a specially crafted form payload to the plugin’s submission endpoint. Attackers can send POST requests to /wp-admin/admin-ajax.php with the action parameter set to ‘fluentform_submit’. The payload includes a form_id parameter and form data containing malicious shortcode syntax in fields that map to the confirmation message. For example, an attacker could inject [shortcode attribute=’malicious_payload’] into form fields that the plugin uses to construct the ‘messageToShow’ value. The plugin processes this input through do_shortcode() without authentication checks, executing the embedded shortcode with WordPress privileges.

The patch addresses the vulnerability by implementing proper input sanitization before shortcode execution. In FormHandler.php, developers added fluentform_sanitize_html() calls before do_shortcode() at lines 278 and 310. They also moved the do_shortcode() call to after sanitization and filter application. In SubmissionHandlerService.php, developers removed the do_shortcode() call from the message construction at line 327 and added sanitization at line 311. The ShortCodeParser::parse() function received an additional $htmlSanitized parameter that enables automatic HTML sanitization when processing shortcodes. These changes ensure user input undergoes proper sanitization before WordPress executes any shortcodes.

Successful exploitation allows unauthenticated attackers to execute arbitrary WordPress shortcodes with the privileges of the plugin. This can lead to various impacts depending on available shortcodes, including remote code execution via plugins that register dangerous shortcodes, sensitive data disclosure through shortcodes that output database content, privilege escalation by executing user management shortcodes, and site defacement through content injection. The vulnerability affects all WordPress installations using Fluent Forms up to version 6.1.11, requiring immediate patching.