{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0632", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-06T00:21:53.194Z", "datePublished": "2026-02-09T11:22:35.952Z", "dateUpdated": "2026-04-08T17:34:55.867Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:55.867Z"}, "affected": [{"vendor": "techjewel", "product": "Fluent Forms Pro Add On Pack", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.1.12", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.1.12 via the 'saveDataSource' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "title": "Fluent Forms Pro Add On Pack <= 6.1.12 - Authenticated (Subscriber+) Server-Side Request Forgery via 'saveDataSource'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd3bf470-f966-454d-8df3-0dec4682e883?source=cve"}, {"url": "https://fluentforms.com/docs/changelog/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "cweId": "CWE-918", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "andrea bocchetti"}], "timeline": [{"time": "2026-01-06T00:40:32.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-08T22:49:11.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T13:21:53.159076Z", "id": "CVE-2026-0632", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T13:22:06.701Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0632", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-09T13:21:53.159076Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T13:22:01.377Z"}}], "cna": {"title": "Fluent Forms Pro Add On Pack <= 6.1.12 - Authenticated (Subscriber+) Server-Side Request Forgery via 'saveDataSource'", "credits": [{"lang": "en", "type": "finder", "value": "andrea bocchetti"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "techjewel", "product": "Fluent Forms Pro Add On Pack", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "6.1.12"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-06T00:40:32.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-08T22:49:11.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd3bf470-f966-454d-8df3-0dec4682e883?source=cve"}, {"url": "https://fluentforms.com/docs/changelog/"}], "descriptions": [{"lang": "en", "value": "The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.1.12 via the 'saveDataSource' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-09T11:22:35.952Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0632", "state": "PUBLISHED", "dateUpdated": "2026-02-09T13:22:06.701Z", "dateReserved": "2026-01-06T00:21:53.194Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-09T11:22:35.952Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.1.12 via the 'saveDataSource' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}, {"lang": "es", "value": "El plugin Fluent Forms Pro Add On Pack para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n del lado del servidor en todas las versiones hasta la 6.1.12, inclusive, a trav\u00e9s de la funci\u00f3n 'saveDataSource'. Esto permite a atacantes autenticados, con acceso de nivel Suscriptor y superior, realizar peticiones web a ubicaciones arbitrarias originadas desde la aplicaci\u00f3n web y puede utilizarse para consultar y modificar informaci\u00f3n de servicios internos."}], "id": "CVE-2026-0632", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-09T12:15:57.603", "references": [{"source": "security@wordfence.com", "url": "https://fluentforms.com/docs/changelog/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd3bf470-f966-454d-8df3-0dec4682e883?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.1.12]"}}], "product": "fluent_forms_pro_add_on_pack", "vendor": "techjewel"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:42:12.691295+00:00", "value": {"mitigation_remediation": ["Update the Fluent Forms Pro Add On Pack plugin to version 6.1.13 or later.", "Restrict outbound HTTP requests from the WordPress instance, blocking connections to internal IP ranges or disallowed ports.", "Revoke or upgrade Subscriber\u2011level accounts that are unnecessary for normal operation, ensuring only trusted users can authenticate.", "Monitor web server logs for unexpected or internal network requests that could indicate SSRF activity."], "summary": {"action": "Apply Patch", "impact": "Server-Side Request Forgery"}, "threat_synthesis": {"affected_systems": "WordPress sites running Fluent Forms Pro Add On Pack version 6.1.12 or earlier. The plugin is distributed by techjewel and can be present in a wide range of WordPress installations. Specific version numbers are limited to 6.1.12 and earlier according to the CVE data.", "description_and_impact": "The vulnerability resides in the 'saveDataSource' function of the Fluent Forms Pro Add On Pack plugin for WordPress. It allows an attacker who is authenticated with at least Subscriber level to instruct the application to send HTTP requests to arbitrary destinations. The weakness can reveal or alter internal resources, thereby compromising confidentiality and integrity of internal services. The core weakness is identified as CWE\u2011918, a classic SSRF scenario.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity, but the EPSS score of less than 1% suggests it is not currently a high\u2011probability target. Because only authenticated users can exploit it, the threat is limited to sites with exposed subscriber accounts. The vulnerability is not listed in the CISA KEV catalog, meaning no publicly known exploits are recorded at this time. However, the fact that the attack requires legitimate credentials means that social engineering or credential compromise could enable exploitation. Attackers would likely use the SSRF to probe internal services, potentially pivoting to other systems if internal requests are permitted."}}}}, "created": "2026-02-10T12:23:40.825447+00:00", "updated": "2026-04-15T18:45:11.448810+00:00", "vendors": ["techjewel", "techjewel$PRODUCT$fluent_forms_pro_add_on_pack", "wordpress", "wordpress$PRODUCT$wordpress"]}