FluentForm

Shahjahan Jewel

Developer

6.2.1

Latest version

700,000

Installations

No date

Last updated

WordPress Plugin

No VDP

Claim ownership

Report vulnerability

Vulnerabilities

Security Contributors

Vulnerability history

0 present

29 patched

8 Mitigation rules

WordPress Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification vulnerability
6.1.21
1 hour ago
Authenticated (Subscriber+) Stored Cross-Site Scripting via Welcome Screen Fields vulnerability
<= 5.1.19
18/02/2026
Authenticated (Subscriber+) Stored Cross-Site Scripting via AI Form Builder Module vulnerability
<= 6.1.14
10/02/2026
Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
<= 5.1.19
02/02/2026
Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
<= 5.1.19
02/02/2026
Broken Access Control vulnerability
<= 6.1.14
25/01/2026
Arbitrary Shortcode Execution vulnerability
<= 6.1.11
13/01/2026
Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Creation via AI Builder vulnerability
<= 6.1.7
06/01/2026
Unauthenticated Insecure Direct Object Reference to Payment Status Tampering via submission_id vulnerability
<= 6.1.7
08/12/2025
Authenticated (Subscriber+) PHP Object Injection To Arbitrary File Read
5.1.16-6.1.1
02/09/2025
Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
<= 6.0.2
17/04/2025
IP-Spoofing vulnerability
<= 5.2.12
21/03/2025
Unauthenticated Stored Cross-Site Scripting via Form Subject vulnerability
<= 5.2.6
13/12/2024
Admin+ Stored XSS vulnerability
< 5.2.1
09/12/2024
Authenticated (Form Manager+) Stored Cross-Site Scripting vulnerability
<= 5.1.19
07/10/2024
Missing Authorization to Authenticated (Subscriber+) Mailchimp Integration Modification vulnerability
<= 5.1.18
03/09/2024
Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability
<= 5.1.19
29/07/2024
PHP Object Injection vulnerability
<= 5.1.15
23/05/2024
Missing Authorization to Settings Update and Limited Privilege Escalation vulnerability
<= 5.1.16
20/05/2024
Missing Authorization to Setting Manipulation vulnerability
<= 5.1.16
20/05/2024
Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability
<= 5.1.13
20/05/2024
Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
<= 5.1.16
20/05/2024
Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
<= 5.1.9
06/03/2024
Authenticated(Administrator+) Stored Cross-Site Scripting via imported form title vulnerability
<= 5.1.5
19/01/2024
Broken Access Control vulnerability
<= 5.0.8
11/09/2023
SQL Injection vulnerability
<= 4.3.25
12/07/2023
Contributor+ Stored XSS via Custom HTML Form Field vulnerability
< 4.3.25
11/04/2023
CSV Injection vulnerability
<= 4.3.12
17/10/2022
Cross-Site Request Forgery (CSRF) vulnerability leading to stored Cross-Site Scripting (XSS)
<= 3.6.65
16/06/2021