Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Shahjahan Jewel FluentForm fluentform allows Code Injection.This issue affects FluentForm: from n/a through <= 6.1.11.
Published: 2026-01-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of code generation flaw that allows an attacker to inject and execute arbitrary code through the FluentForm plugin’s shortcode handling. The flaw introduces a code‑injection path that could lead to server‑side script execution and compromise the confidentiality, integrity, or availability of the web application. The CVSS score of 5.3 indicates a moderate severity with potential for significant impact if exploited.

Affected Systems

The flaw affects the Shahjahan Jewel FluentForm plugin from earliest release through version 6.1.11 inclusive. Any WordPress site using FluentForm within this version range is vulnerable. No other products or versions are listed.

Risk and Exploitability

The EPSS score of less than 1% suggests a low probability of enterprise‑wide exploitation, and the vulnerability is not listed in CISA KEV. Attackers would need to supply a malicious shortcode or form input that contains exploitable code; the exact attack vector is not detailed in the description but is logically inferred from the injection nature of the flaw. The moderate CVSS emphasises that, while not high severity, the impact could be grave if an attacker succeeds.

Generated by OpenCVE AI on April 29, 2026 at 10:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FluentForm plugin to version 6.1.12 or later.
  • Remove or neutralise any legacy or suspicious shortcodes that may have been injected.
  • Configure the plugin or the site’s PHP settings to restrict or sanitize shortcode content, ensuring that only approved shortcodes are processed.

Generated by OpenCVE AI on April 29, 2026 at 10:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Shahjahan Jewel FluentForm fluentform allows Code Injection.This issue affects FluentForm: from n/a through <= 6.1.11.
Title WordPress FluentForm plugin <= 6.1.11 - Arbitrary Shortcode Execution vulnerability
Weaknesses CWE-94
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:29:45.901Z

Reserved: 2025-12-29T11:18:13.437Z

Link: CVE-2025-69001

cve-icon Vulnrichment

Updated: 2026-01-28T16:38:45.438Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:15.757

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69001

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:00:10Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')