Description
The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form-submission.js script in all versions up to, and including, 6.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-04-17
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS that allows arbitrary scripts to run when a user views the affected page
Action: Patch Now
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the form-submission.js script of Fluent Forms up to version 6.0.2. Insufficient input sanitization and output escaping lets users with Contributor or higher role insert malicious scripts that persist in the form. When any visitor loads the page containing the form, the injected scripts execute in the victim’s browser, wherein, based on the description, it is inferred that the attacker could hijack sessions, deface content, or run arbitrary client‑side code. The weakness is identified as CWE‑79.

Affected Systems

The affected product is Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder, version 6.0.2 and earlier. The vendor is techjewel. Any user with Contributor or higher role can exploit the flaw.

Risk and Exploitability

The CVSS score of 6.4 places the vulnerability in the medium severity range, but the EPSS score is less than 1 % indicating a very low likelihood of exploitation at this time. It is not listed in the CISA KEV catalog, so it has not yet been reported as widely exploited. The attack requires the attacker to be authenticated as a Contributor or better, after which they can embed malicious code through the form administration interface and cause it to execute for all visitors to the affected pages.

Generated by OpenCVE AI on April 21, 2026 at 21:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Fluent Forms to the latest version available in the WordPress plugin repository, ensuring that the fixed code is applied.
  • If an immediate upgrade is not possible, temporarily remove or disable the form‑submission.js file or enforce stricter input validation to block script injection, reducing the attack surface for contributors.
  • Review user role assignments on the site; consider restricting Contributor privileges or implementing more granular access controls to limit the ability to modify form content.

Generated by OpenCVE AI on April 21, 2026 at 21:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11513 The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form-submission.js script in all versions up to, and including, 6.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Thu, 17 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form-submission.js script in all versions up to, and including, 6.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Fluent Forms <= 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:46.169Z

Reserved: 2025-04-14T21:28:18.899Z

Link: CVE-2025-3615

cve-icon Vulnrichment

Updated: 2025-04-17T16:02:28.761Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T08:15:12.730

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3615

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:30:45Z

Weaknesses