CVE-2026-7798

Vulnerability

Blind Server-Side Request Forgery exists in the FluentCRM plugin for WordPress versions up to and including 2.9.87 via the SubscribeURL parameter. The vulnerability is located in the SES bounce handler within ExternalPages.php. When the _fc_bounce_key option has never been set (site in default state), an unauthenticated request to route=bounce_handler with provider=ses bypasses the authentication check because the comparison $verifyKey !== $sesBounceKey fails when both are empty [1][2]. This allows an attacker to control a URL that the server will fetch, leading to blind SSRF.

Exploitation

An unauthenticated attacker sends a GET or POST request to the WordPress site with the parameters ?fluentcrm=1&route=bounce_handler&provider=ses&verify_key= (empty verify_key). Because the _fc_bounce_key option is not stored, the condition $verifyKey !== $sesBounceKey evaluates to false, and the plugin proceeds to process the bounce. The attacker then supplies a malicious SubscribeURL value, which the server will attempt to retrieve using its own HTTP client. No prior authentication or user interaction is required, and the site must be in its default unconfigured state regarding SES bounce handling.

Impact

Successful exploitation allows the attacker to make arbitrary outbound HTTP requests from the web server. This can be used to scan internal networks, query cloud metadata endpoints (e.g., AWS IMDS), or interact with internal services that accept HTTP requests. The SSRF is blind — the response contents are not directly returned to the attacker, but errors or side effects can be observed. The attack is constrained to TCP ports and protocols supported by WordPress's HTTP API.

Mitigation

The vendor addressed this vulnerability in FluentCRM version 2.9.88 (release date not publicly specified in the available references). Users should update immediately. If updating is not possible, ensure the SES bounce handling key is configured by visiting the bounce configuration page at /wp-admin/admin.php?page=fluentcrm-admin#/settings/bounce, which auto-generates and stores a random _fc_bounce_key. Once stored, the authentication check will properly reject unauthenticated requests. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of publication.