CVE-2026-6828: The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is...

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'permission_message' parameter in all versions up to, and including, 6.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Ghostwire Analysis — What This Means Practically

Exploitation Probability (EPSS): Low — 0.04% (11th percentile)

Low exploitation probability based on current threat landscape data. Standard patching timeline is appropriate.

Medium CVSS score indicates moderate risk — exploitation requires specific conditions or results in limited impact.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

CVE-2026-6828: The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is...

Description

Ghostwire Analysis — What This Means Practically

Security Coverage (1 articles)

References