The Fluent Forms plugin for WordPress, versions up to and including 5.1.19, suffers from a stored cross-site scripting vulnerability due to insufficient input sanitization and output escaping in input fields. This vulnerability enables authenticated users with administrator or higher privileges to inject arbitrary web scripts that execute when the affected pages are viewed. The issue specifically impacts multi-site WordPress installations or those where the unfiltered_html capability is disabled, increasing the risk of persistent script injection. The CVSS 3.1 base score is 4.4, reflecting a medium severity with network attack vector, high attack complexity, and requiring high privileges but no user interaction. No vendor-provided patch or remediation details are available, and no exploits have been observed in the wild.

An attacker with administrator-level permissions can exploit this vulnerability to inject persistent malicious scripts into pages generated by the Fluent Forms plugin. These scripts execute in the context of users viewing the injected pages, potentially leading to data theft, session hijacking, or other script-based attacks. The vulnerability is limited to multi-site WordPress setups or those with unfiltered_html disabled, reducing the attack surface. The impact is rated medium due to the required high privileges and lack of known active exploitation.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict administrator access to trusted users only and consider disabling or limiting the use of the Fluent Forms plugin in multi-site environments or where unfiltered_html is disabled. Monitor vendor channels for updates and apply patches promptly once available.