CVE-2026-0996 (GCVE-0-2026-0996)
Vulnerability from cvelistv5
Published
2026-02-10 05:29
Modified
2026-04-08 16:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AI Form Builder module in all versions up to, and including, 6.1.14 due to a combination of missing authorization checks, a leaked nonce, and insufficient input sanitization. The vulnerability allows Subscriber-level users to trigger AI form generation via a protected endpoint. When prompted, AI services will typically return bare JavaScript code (without <script> tags), which bypasses the plugin's sanitization. This stored JavaScript executes whenever anyone views the generated form, making it possible for authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts that will execute in the context of any user accessing the form.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder |
Version: 0 ≤ 6.1.14 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0996",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T15:39:54.764931Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T15:40:55.315Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, \u0026 Conversational Form Builder",
"vendor": "techjewel",
"versions": [
{
"lessThanOrEqual": "6.1.14",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Osvaldo Noe Gonzalez Del Rio"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AI Form Builder module in all versions up to, and including, 6.1.14 due to a combination of missing authorization checks, a leaked nonce, and insufficient input sanitization. The vulnerability allows Subscriber-level users to trigger AI form generation via a protected endpoint. When prompted, AI services will typically return bare JavaScript code (without \u003cscript\u003e tags), which bypasses the plugin\u0027s sanitization. This stored JavaScript executes whenever anyone views the generated form, making it possible for authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts that will execute in the context of any user accessing the form."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:32:17.369Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/00192a36-4b75-4dae-9a6e-0afb02ed5bad?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/boot/globals.php#L438"
},
{
"url": "https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/app/Modules/Ai/AiFormBuilder.php#L29"
},
{
"url": "https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/app/Modules/Ai/AiFormBuilder.php#L334"
},
{
"url": "https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/app/Hooks/actions.php#L641"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3449710/fluentform/trunk/app/Hooks/actions.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-15T15:58:25.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-09T17:19:48.000Z",
"value": "Disclosed"
}
],
"title": "Fluent Forms \u003c= 6.1.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via AI Form Builder Module"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0996",
"datePublished": "2026-02-10T05:29:42.034Z",
"dateReserved": "2026-01-15T15:42:36.325Z",
"dateUpdated": "2026-04-08T16:32:17.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-0996\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-10T15:39:54.764931Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-10T15:40:49.973Z\"}}], \"cna\": {\"title\": \"Fluent Forms \u003c= 6.1.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via AI Form Builder Module\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Osvaldo Noe Gonzalez Del Rio\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 6.4, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\"}}], \"affected\": [{\"vendor\": \"techjewel\", \"product\": \"Fluent Forms \\u2013 Customizable Contact Forms, Survey, Quiz, \u0026 Conversational Form Builder\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.14\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-01-15T15:58:25.000Z\", \"value\": \"Vendor Notified\"}, {\"lang\": \"en\", \"time\": \"2026-02-09T17:19:48.000Z\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/00192a36-4b75-4dae-9a6e-0afb02ed5bad?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/boot/globals.php#L438\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/app/Modules/Ai/AiFormBuilder.php#L29\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/app/Modules/Ai/AiFormBuilder.php#L334\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/fluentform/tags/6.1.12/app/Hooks/actions.php#L641\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset/3449710/fluentform/trunk/app/Hooks/actions.php\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AI Form Builder module in all versions up to, and including, 6.1.14 due to a combination of missing authorization checks, a leaked nonce, and insufficient input sanitization. The vulnerability allows Subscriber-level users to trigger AI form generation via a protected endpoint. When prompted, AI services will typically return bare JavaScript code (without \u003cscript\u003e tags), which bypasses the plugin\u0027s sanitization. This stored JavaScript executes whenever anyone views the generated form, making it possible for authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts that will execute in the context of any user accessing the form.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2026-02-10T05:29:42.034Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-0996\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-10T15:40:55.315Z\", \"dateReserved\": \"2026-01-15T15:42:36.325Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2026-02-10T05:29:42.034Z\", \"assignerShortName\": \"Wordfence\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…