Cyber Resilience

CVE-2026-2365

High

Published: 05 March 2026

Published
05 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0021 42.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2365 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Fluentforms (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2365, published on 2026-03-05, is a stored cross-site scripting vulnerability (CWE-79) in the Fluent Forms Pro plugin for WordPress, affecting all versions up to and including 6.1.17. The flaw exists in the `fluentform_step_form_save_data` AJAX action, where the draft form submission endpoint is publicly accessible without authentication or nonce verification. This is compounded by insufficient input sanitization and output escaping of form field data, enabling the injection of arbitrary web scripts into pages.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). By submitting malicious payloads via the exposed endpoint, attackers can store scripts in partial form entries, which execute in an administrator's browser context whenever those entries are viewed.

Advisories and patch information are detailed in the Fluent Forms changelog at https://fluentforms.com/docs/changelog/#3-toc-title, with vulnerable code visible at https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/app/Modules/Form/FormDataParser.php#L57, and additional threat intelligence from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/5e911b0a-a236-4df3-b997-3631412a1b55?source=cve.

EU & UK References

Vulnerability details

The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fluentform_step_form_save_data` AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without authentication…

more

or nonce verification, combined with insufficient input sanitization and output escaping of form field data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views a partial form entry.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Stored XSS in publicly exposed unauthenticated AJAX endpoint directly enables remote exploitation of a public-facing web application (T1190) and execution of attacker-supplied JavaScript in an admin browser context (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79
CVE-2026-3876Shared CWE-79

Affected Assets

Fluentforms
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization on the publicly exposed fluentform_step_form_save_data endpoint, blocking unauthenticated attackers from submitting malicious payloads.

prevent

Requires validation and sanitization of all form-field inputs received via the draft-submission AJAX action, preventing storage of arbitrary scripts.

prevent

Mandates output filtering/escaping of stored form-entry data before administrator display, neutralizing script execution even if malicious content is persisted.

References