Description
The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AI Form Builder module in all versions up to, and including, 6.1.14 due to a combination of missing authorization checks, a leaked nonce, and insufficient input sanitization. The vulnerability allows Subscriber-level users to trigger AI form generation via a protected endpoint. When prompted, AI services will typically return bare JavaScript code (without <script> tags), which bypasses the plugin's sanitization. This stored JavaScript executes whenever anyone views the generated form, making it possible for authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts that will execute in the context of any user accessing the form.
INFO
Published Date :
2026-02-10T05:29:42.034Z
Last Modified :
2026-02-10T15:40:55.315Z
Source :
Wordfence
AFFECTED PRODUCTS
The following products are affected by CVE-2026-0996 vulnerability.
| Vendors | Products |
|---|---|
| Techjewel |
|
| Wordpress |
|
REFERENCES
Here, you will find a curated list of external links that provide in-depth information to CVE-2026-0996.
