Description
The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.9.87 via the 'SubscribeURL' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires that the SES bounce handling key ('_fc_bounce_key') has never been stored (i.e., the site is in its default/unconfigured state with respect to SES bounce handling) as visiting the bounce configuration page auto-generates and stores a random key that causes the authentication check to evaluate correctly and reject unauthenticated requests.
Published: 2026-05-22
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The FluentCRM plugin for WordPress contains a blind server‑side request forgery (SSRF) vulnerability that is triggered by supplying a crafted SubscribeURL parameter. An attacker who can send unauthenticated requests can cause the application to perform HTTP requests to arbitrary internal or external addresses. The flaw can be used to probe the application’s network, exfiltrate data, or modify information on internal services, as it satisfies the modern definition of a blind SSRF (CWE‑918).

Affected Systems

All releases of the FluentCRM plugin up to and including version 2.9.87 are affected. The vulnerability is present in the WordPress plugin repository under the vendor name TechJewel. Users running any of these versions on a WordPress site are at risk if the site has not yet applied an update beyond 2.9.87.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score is not available, and the vulnerability is not catalogued in CISA’s KEV list. Exploitation requires that the SES bounce handling key '_fc_bounce_key' has never been configured, which is true for a site that remains in its default state. When that key is present, the authentication check prevents the SSRF from succeeding. Based on the description, it is inferred that if an attacker can keep the site in the unconfigured default state, they could leverage the blind SSRF to query internal network services or modify them. The attack vector is an unauthenticated HTTP request to the plugin’s external page handler.

Generated by OpenCVE AI on May 22, 2026 at 09:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FluentCRM plugin to a version newer than 2.9.87 where the SSRF issue is fixed
  • Configure the SES bounce handling key by visiting the bounce configuration page; this generates and stores a random token that blocks unauthenticated SSRF attempts
  • Restrict unauthenticated access to the SubscribeURL endpoint by applying network or application‑level access controls (e.g., firewall rules or authentication requirements)

Generated by OpenCVE AI on May 22, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Techjewel
Techjewel fluentcrm – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, And Crm Solution
Wordpress
Wordpress wordpress
Vendors & Products Techjewel
Techjewel fluentcrm – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, And Crm Solution
Wordpress
Wordpress wordpress

Fri, 22 May 2026 08:45:00 +0000

Type Values Removed Values Added
Description The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.9.87 via the 'SubscribeURL' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires that the SES bounce handling key ('_fc_bounce_key') has never been stored (i.e., the site is in its default/unconfigured state with respect to SES bounce handling) as visiting the bounce configuration page auto-generates and stores a random key that causes the authentication check to evaluate correctly and reject unauthenticated requests.
Title FluentCRM <= 2.9.87 - Unauthenticated Blind Server-Side Request Forgery via 'SubscribeURL' Parameter
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Techjewel Fluentcrm – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, And Crm Solution
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-22T18:36:42.222Z

Reserved: 2026-05-04T19:19:14.810Z

Link: CVE-2026-7798

cve-icon Vulnrichment

Updated: 2026-05-22T18:36:38.511Z

cve-icon NVD

Status : Received

Published: 2026-05-22T09:16:32.587

Modified: 2026-05-22T09:16:32.587

Link: CVE-2026-7798

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T12:37:50Z

Weaknesses