CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
What the vulnerability does
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.7. This is due to missing capability checks on the `fluentform_ai_create_form` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary forms via the publicly exposed AI builder.
Explanation of Vulnerability in Simple Terms
Fluent Forms versions up to 6.1.7 lack proper authorization checks, allowing unauthenticated attackers to modify form data or settings over the network. The vulnerability requires no user interaction and can be exploited remotely. Site administrators should update to a version newer than 6.1.7 to restore proper access controls.
What an attacker can do
Modify form data or settings without authentication.
Potential impact on your site
Forms may be altered or corrupted by unauthorized parties, affecting data collection and user experience.
Conditions required to exploit
Network access only; no authentication or user interaction required.
Key dates
External resources
Related vulnerabilities
