Attack Vectors
Fluent Forms Pro Add On Pack (slug: fluentformpro) versions 6.1.17 and earlier are affected by a High-severity Stored Cross-Site Scripting (XSS) vulnerability tracked as CVE-2026-2365 (CVSS 7.2).
An attacker does not need to be logged in to attempt exploitation. The issue involves the plugin’s draft form submission feature, where data can be sent to a public-facing AJAX endpoint and stored as a partial entry. If malicious script content is saved into form fields, it can later run in an administrator’s browser when they review a partial submission.
Security Weakness
This vulnerability stems from a draft form submission endpoint being accessible without authentication and without nonce verification, combined with insufficient input sanitization and output escaping of form field data. In practical terms, that means untrusted input can be stored and then displayed in a way that allows scripts to execute when viewed.
Because the script executes in the context of an admin viewing the entry, the risk extends beyond a simple website defacement. It can become a pathway to access sensitive administrative actions or data visible to that user’s session.
Technical or Business Impacts
Business risk: Stored XSS can undermine trust in your website, create reputational damage, and increase the likelihood of regulatory or contractual scrutiny if customer or lead data is exposed. For marketing teams, this can directly impact campaign integrity, lead capture reliability, and brand credibility.
Operational risk: If an administrator’s session is impacted while reviewing partial entries, attackers may be able to interfere with site configuration, inject further malicious content, or disrupt web operations. Even without a full outage (CVSS indicates no direct availability impact), the downstream effects can include incident response costs, downtime for remediation, and potential loss of revenue from paused campaigns.
Compliance risk: Any compromise involving form submissions and administrative access can raise questions about data handling controls, audit readiness, and breach notification obligations depending on what information is collected in forms.
Severity and remediation: This issue is rated High severity. Update Fluent Forms Pro Add On Pack to 6.1.18 or a newer patched version as soon as possible.
Similar Attacks
Stored XSS vulnerabilities in popular platforms have been repeatedly used to compromise accounts, alter site content, and abuse trusted user sessions. Examples include:
WordPress 6.2 security release notes (includes XSS-related fixes)
PortSwigger: Stored Cross-site Scripting (overview and real-world abuse patterns)
Recent Comments