CVE-2026-2365 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Fluent Forms Pro Add On Pack plugin for WordPress, affecting all versions up to and including 6.1.17. The vulnerability exists in the AJAX action `fluentform_step_form_save_data`, which handles draft form submissions. This endpoint is publicly accessible without requiring authentication or nonce verification, allowing unauthenticated attackers to submit crafted form data containing malicious JavaScript payloads. Due to insufficient input sanitization and lack of proper output escaping when rendering partial form entries, these scripts are stored and executed in the context of the administrator's browser when they view the affected entries. This stored XSS can lead to session hijacking, privilege escalation, or other malicious actions performed with the administrator's privileges. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 7.2, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change with partial confidentiality and integrity impact but no availability impact. Although no public exploits are currently known, the vulnerability poses a significant risk due to the ease of exploitation and potential impact on site administration and data integrity.

The exploitation of this vulnerability can have serious consequences for organizations using the Fluent Forms Pro Add On Pack on WordPress sites. An attacker can inject malicious scripts that execute in the administrator's browser, potentially leading to theft of administrative session cookies, unauthorized actions performed with admin privileges, defacement, data theft, or further compromise of the web application and backend systems. Since the vulnerability allows unauthenticated remote attackers to exploit it, the attack surface is broad, increasing the risk of automated attacks. Organizations relying on this plugin for critical forms or data collection may face data integrity issues and loss of trust. Additionally, compromised admin accounts can be leveraged to deploy further malware or pivot within the network, amplifying the impact. The vulnerability affects the confidentiality and integrity of the site and its data but does not directly affect availability.

To mitigate this vulnerability, organizations should immediately update the Fluent Forms Pro Add On Pack plugin to a version where the vulnerability is patched once available. Until a patch is released, administrators should restrict access to the draft form submission endpoint by implementing web application firewall (WAF) rules that block unauthenticated requests to the `fluentform_step_form_save_data` AJAX action. Additionally, applying strict input validation and output encoding on form data can reduce risk. Monitoring and logging access to this endpoint can help detect exploitation attempts. Administrators should also review partial form entries for suspicious content and sanitize or remove any injected scripts. Employing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Finally, limiting administrative access to trusted IP addresses and enforcing multi-factor authentication can reduce the risk of session hijacking.