Contact Form Plugin by Fluent Forms Vulnerability- Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2023-6957 | WordPress Plugin Vulnerability Report 

Plugin Name: Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder

Key Information:

  • Software Type: Plugin
  • Software Slug: fluentform
  • Software Status: Active
  • Software Author: techjewel
  • Software Downloads: 5,973,827
  • Active Installs: 400,000
  • Last Updated: March 7, 2024
  • Patched Versions: 5.1.10
  • Affected Versions: <= 5.1.9

Vulnerability Details:

  • Name: Fluent Forms <= 5.1.9
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2023-6957
  • CVSS Score: 4.9
  • Publicly Published: March 5, 2024
  • Researcher: drop
  • Description: The Fluent Forms plugin is vulnerable to Stored Cross-Site Scripting (XSS) due to inadequate input sanitization and output escaping in all versions up to and including 5.1.9. This vulnerability allows attackers, with at least contributor-level access, to inject malicious scripts into web pages that will execute when accessed by users. The risk level of this vulnerability varies based on the permissions set by administrators for form creation, which could be as low as contributor level, though the default setting is admin.


The Contact Form Plugin by Fluent Forms for WordPress presents a Stored Cross-Site Scripting vulnerability in versions up to and including 5.1.9. This security flaw, which allows for the injection and execution of arbitrary web scripts, has been effectively addressed in version 5.1.10.

Detailed Overview:

Discovered by the researcher known as drop, this vulnerability within Fluent Forms exposes a critical security risk, particularly in environments where lower-level users are permitted to create forms. Stored XSS vulnerabilities like this one are especially concerning as they can lead to a range of exploits from stealing user data to taking over admin accounts. It is crucial for administrators to understand the extent of access granted to users and the potential implications it has on site security.

Advice for Users:

  • Immediate Action: All users of Fluent Forms should immediately update to version 5.1.10, which contains the necessary patches for this vulnerability.
  • Check for Signs of Vulnerability: Admins should review user roles and permissions, ensuring that only trusted users have the capability to create or modify forms. Additionally, inspecting form content for unexpected or malicious scripts can help identify if exploitation has occurred.
  • Alternate Plugins: While the patched version is secure, users who are concerned about security may consider exploring alternative form builder plugins with a strong emphasis on security and regular updates.
  • Stay Updated: The importance of keeping all WordPress plugins, themes, and the core updated cannot be overstated. Regular updates are vital for maintaining security and functionality.


The swift action taken by Fluent Forms' developers to release a patch for this vulnerability highlights the ongoing need for vigilance in the digital space. By updating to version 5.1.10, users can protect their WordPress sites from potential exploitation. It is a poignant reminder for all WordPress site owners about the importance of regular software updates and diligent site management practices.


In the ever-evolving digital landscape, where convenience meets innovation through plugins like the Contact Form Plugin by Fluent Forms for WordPress, the shadow of cyber threats looms large. The discovery of a critical vulnerability, designated as CVE-2023-6957, in such a widely utilized plugin, serves as a stark reminder of the constant vigilance required to safeguard our digital gateways. This incident not only highlights the susceptibility of digital tools to security breaches but also emphasizes the imperative need for regular updates and proactive security measures.

Plugin Overview:

The Contact Form Plugin by Fluent Forms stands out for its user-friendly interface, enabling WordPress users to effortlessly create quizzes, surveys, and forms through a drag-and-drop builder. With techjewel at the helm of its development, the plugin has amassed over 5,973,827 downloads, servicing 400,000 active installations. Despite its popularity and utility, the plugin found itself vulnerable in versions up to and including 5.1.9, as revealed in a security analysis published on March 5, 2024.

Vulnerability Insight:

CVE-2023-6957 uncovers a Stored Cross-Site Scripting (XSS) flaw stemming from inadequate input sanitization and output escaping mechanisms within the plugin. This loophole allows individuals with at least contributor-level access to inject and execute arbitrary web scripts, compromising the integrity and security of affected websites. Notably, the exploitation of this vulnerability can lead to unauthorized access, data theft, and potentially full control over the compromised website.

Risks and Impacts:

The potential impacts of this vulnerability extend beyond mere technical glitches, posing significant risks to data security and user trust. For businesses relying on Fluent Forms for lead generation and customer interactions, such a breach could result in the loss of sensitive data, erosion of customer trust, and subsequent financial and reputational damage.

Remediation and Proactive Measures:

In response to this threat, the developers of Fluent Forms promptly released an update, version 5.1.10, addressing the identified vulnerability. Users are urged to immediately update their plugin to this patched version to mitigate the risks. Moreover, website administrators should conduct regular reviews of user roles and permissions, ensuring that form creation and modification capabilities are restricted to trusted users. Additionally, considering alternative plugins with a strong security track record may provide an added layer of assurance.

Historical Context:

This is not the plugin's first encounter with security vulnerabilities; since June 16, 2021, Fluent Forms has navigated through six documented vulnerabilities, each serving as a learning curve for developers and users alike. These instances underscore the dynamic nature of cyber threats and the ongoing battle to stay one step ahead.

Concluding Thoughts:

The swift resolution of CVE-2023-6957 by the Fluent Forms team highlights the critical nature of timely software updates in the realm of cybersecurity. For small business owners juggling myriad responsibilities, understanding the importance of such updates and implementing a routine check-up of digital tools can be a game-changer. Leveraging automated update features, employing security plugins, and staying informed about potential vulnerabilities are key strategies in fortifying your digital presence against unforeseen threats. In the digital age, the security of your online platform is not just a technical issue but a cornerstone of your business's integrity and reliability.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Contact Form Plugin by Fluent Forms Vulnerability- Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2023-6957 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment