CVE-2026-2365
Published: 05 March 2026
Summary
CVE-2026-2365 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Fluentforms (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-2365, published on 2026-03-05, is a stored cross-site scripting vulnerability (CWE-79) in the Fluent Forms Pro plugin for WordPress, affecting all versions up to and including 6.1.17. The flaw exists in the `fluentform_step_form_save_data` AJAX action, where the draft form submission endpoint is publicly accessible without authentication or nonce verification. This is compounded by insufficient input sanitization and output escaping of form field data, enabling the injection of arbitrary web scripts into pages.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). By submitting malicious payloads via the exposed endpoint, attackers can store scripts in partial form entries, which execute in an administrator's browser context whenever those entries are viewed.
Advisories and patch information are detailed in the Fluent Forms changelog at https://fluentforms.com/docs/changelog/#3-toc-title, with vulnerable code visible at https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/app/Modules/Form/FormDataParser.php#L57, and additional threat intelligence from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/5e911b0a-a236-4df3-b997-3631412a1b55?source=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9524
Vulnerability details
The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fluentform_step_form_save_data` AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without authentication…
more
or nonce verification, combined with insufficient input sanitization and output escaping of form field data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views a partial form entry.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in publicly exposed unauthenticated AJAX endpoint directly enables remote exploitation of a public-facing web application (T1190) and execution of attacker-supplied JavaScript in an admin browser context (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization on the publicly exposed fluentform_step_form_save_data endpoint, blocking unauthenticated attackers from submitting malicious payloads.
Requires validation and sanitization of all form-field inputs received via the draft-submission AJAX action, preventing storage of arbitrary scripts.
Mandates output filtering/escaping of stored form-entry data before administrator display, neutralizing script execution even if malicious content is persisted.