CVE-2025-13722 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder WordPress plugin developed by techjewel. The flaw exists in all versions up to and including 6.1.7 due to the absence of proper capability checks on the AJAX action 'fluentform_ai_create_form'. This action is publicly exposed and can be invoked by any authenticated user with at least Subscriber-level access, which is typically the lowest privilege level assigned to registered users on WordPress sites. Exploiting this vulnerability allows such users to create arbitrary forms through the plugin's AI form builder feature without proper authorization. While the vulnerability does not directly disclose sensitive data or disrupt service availability, it compromises the integrity of the website by enabling unauthorized content injection. Attackers could leverage this to create deceptive forms that facilitate phishing, data harvesting, or social engineering campaigns targeting site visitors or administrators. The CVSS v3.1 base score is 5.3 (medium severity), reflecting network exploitability, low attack complexity, no privileges required beyond authentication, and no user interaction needed. No patches or updates were linked at the time of publication, and no known exploits have been reported in the wild. The vulnerability was reserved in late 2025 and published in early 2026 by Wordfence, indicating recent discovery and disclosure.

For European organizations, this vulnerability poses a moderate risk primarily to the integrity of their WordPress-based websites that utilize the Fluent Forms plugin. Unauthorized form creation can be exploited to deploy malicious or fraudulent forms, potentially leading to phishing attacks against customers or employees, data collection abuse, or reputational damage. Although it does not directly compromise confidentiality or availability, the ability to inject arbitrary forms can facilitate further attacks or social engineering campaigns. Organizations in sectors with high reliance on customer interaction via web forms—such as e-commerce, finance, healthcare, and public services—may face elevated risks. Additionally, regulatory frameworks like GDPR impose strict requirements on data protection and user consent, so misuse of forms could result in compliance violations and fines. The medium severity score indicates a need for timely remediation, especially since exploitation requires only authenticated Subscriber-level access, which might be obtained through credential compromise or weak registration controls.

To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Immediately audit user roles and permissions on WordPress sites to ensure that Subscriber-level accounts are tightly controlled and monitored; restrict account creation and enforce strong authentication mechanisms such as MFA. 2) Temporarily disable or restrict access to the AI form builder feature if possible until a patch is released. 3) Monitor logs and alerts for unusual form creation activities, especially from accounts with minimal privileges. 4) Apply principle of least privilege by reviewing and limiting the capabilities assigned to Subscriber and other low-level roles. 5) Stay informed about updates from the plugin vendor and apply security patches promptly once available. 6) Consider implementing web application firewalls (WAF) with custom rules to detect and block unauthorized AJAX requests related to 'fluentform_ai_create_form'. 7) Educate site administrators and users about the risks of unauthorized form creation and phishing attempts. These targeted actions go beyond generic advice by focusing on controlling authenticated user capabilities and monitoring specific plugin behavior.