VYPR

Vendor CVEs

Fluentforms

All CVEs

26 total · sorted by risk
  • CVE-2024-2771CriMay 18, 2024
    risk 0.58cvss 9.8epss 0.02

    The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint in all versions up to, and including,…

  • CVE-2026-2428HigFeb 27, 2026
    risk 0.49cvss 7.5epss 0.00

    The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default…

  • CVE-2026-2365HigMar 5, 2026
    risk 0.47cvss 7.2epss 0.00

    The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fluentform_step_form_save_data` AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without…

  • CVE-2026-2899MedMar 5, 2026
    risk 0.42cvss 6.5epss 0.00

    The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the `deleteFile()` method in the `Uploader` class lacking nonce verification and capability checks. The AJAX action is…

  • CVE-2025-9260MedSep 3, 2025
    risk 0.42cvss 6.5epss 0.01

    The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to PHP Object Injection in versions 5.1.16 to 6.1.1 via deserialization of untrusted input in the parseUserProperties function. This makes it possible…

  • CVE-2024-4157HigMay 22, 2024
    risk 0.42cvss 7.5epss 0.01

    The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.1.15 via deserialization of untrusted input in the extractDynamicValues function. This…

  • CVE-2024-2782HigMay 18, 2024
    risk 0.42cvss 7.5epss 0.01

    The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp-json/fluentform/v1/global-settings REST API endpoint in all versions up…

  • CVE-2023-24410MedOct 31, 2023
    risk 0.36cvss 5.5epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Contact Form - WPManageNinja LLC Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms fluentform allows SQL Injection.This issue affects…

  • CVE-2026-0996MedFeb 10, 2026
    risk 0.35cvss 6.4epss 0.00

    The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AI Form Builder module in all versions up to, and including, 6.1.14 due to a combination of missing authorization checks, a leaked nonce, and insufficient input sanitization. The…

  • CVE-2026-0632MedFeb 9, 2026
    risk 0.35cvss 5.4epss 0.00

    The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.1.12 via the 'saveDataSource' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make…

  • CVE-2025-3615MedApr 17, 2025
    risk 0.35cvss 6.4epss 0.00

    The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form-submission.js script in all versions up to, and including, 6.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…

  • CVE-2024-4709MedMay 18, 2024
    risk 0.35cvss 6.4epss 0.00

    The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘subject’ parameter in versions up to, and including, 5.1.16 due to insufficient input sanitization and output…

  • CVE-2024-2772MedMay 18, 2024
    risk 0.35cvss 6.4epss 0.00

    The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in all versions up to, and including, 5.1.13 due to insufficient input sanitization and output escaping.…

  • CVE-2023-6957MedMar 13, 2024
    risk 0.32cvss 4.9epss 0.00

    The Fluent Forms plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.9 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject…

  • CVE-2025-13722MedJan 7, 2026
    risk 0.27cvss 5.3epss 0.00

    The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.7. This is due to missing capability checks on the `fluentform_ai_create_form` AJAX…

  • CVE-2025-13748MedDec 6, 2025
    risk 0.27cvss 5.3epss 0.00

    The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submission_id' parameter due to missing validation on a user…

  • CVE-2024-13666MedMar 22, 2025
    risk 0.27cvss 5.3epss 0.00

    The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 5.2.12 due to insufficient IP address validation and use of user-supplied HTTP headers as…

  • CVE-2024-6521MedJul 27, 2024
    risk 0.22cvss 4.4epss 0.00

    The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via dropdown fields in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output…

  • CVE-2024-6520MedJul 27, 2024
    risk 0.22cvss 4.4epss 0.00

    The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom error message in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output…

  • CVE-2024-6518MedJul 27, 2024
    risk 0.22cvss 4.4epss 0.00

    The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via input fields in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping.…

  • CVE-2024-0618MedJan 27, 2024
    risk 0.22cvss 4.4epss 0.01

    The Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via imported form titles in all versions up to, and including, 5.1.5 due to insufficient input sanitization and output…

  • CVE-2024-10646Dec 14, 2024
    risk 0.00cvss epss 0.00

    The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form's subject parameter in all versions up to, and including, 5.2.6 due to insufficient input sanitization and…

  • CVE-2024-9651Dec 9, 2024
    risk 0.00cvss epss 0.00

    The Fluent Forms WordPress plugin before 5.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite…

  • CVE-2024-9528Oct 5, 2024
    risk 0.00cvss epss 0.00

    The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form label fields in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output…

  • CVE-2024-6703Jul 27, 2024
    risk 0.00cvss epss 0.00

    The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘description’ and 'btn_txt' parameters in all versions up to, and including, 5.1.19 due to insufficient input…

  • CVE-2021-34620Jul 7, 2021
    risk 0.00cvss epss 0.03

    The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions