WP-Safety
CVE-2021-34620

WP Fluent Forms < 3.6.67 - Stored Cross-Site Scripting

highImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
8.8
CVSS Score
8.8
CVSS Score
high
Severity
3.6.67
Patched in
951d
Time to patch

Description

The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<3.6.67
PublishedJune 16, 2021
Last updatedJanuary 22, 2024
Affected pluginfluentform
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/8e039295-2ccf-450c-8f2a-d113117b9dce?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database