Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total4
Critical0
High2
Medium2
Reset
Showing 1-4 of 4 records
Threat Entry Updated 2026-03-05

CVE-2026-2899 - Fluent Forms Pro Add On Pack Plugin

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the `deleteFile()` method in the `Uploader` class lacking nonce verification and capability checks. The AJAX action is registered via `addPublicAjaxAction()` which creates both `wp_ajax_` and `wp_ajax_nopriv_` hooks. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments via the `attachment_id` parameter. Note: The researcher described file deletion via the `path` parameter using `sanitize_file_name()`, but the actual code uses `Protector::decrypt()` for…

PLUGIN Fluent Forms Pro Add On Pack

CVE-2026-2899

MEDIUM CVSS 6.5 2026-03-05
Open Full Technical Breakdown
Threat Entry Updated 2026-03-05

CVE-2026-2365 - Fluent Forms Pro Add On Pack Plugin

The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fluentform_step_form_save_data` AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without authentication or nonce verification, combined with insufficient input sanitization and output escaping of form field data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views a partial form entry.

PLUGIN Fluent Forms Pro Add On Pack

CVE-2026-2365

HIGH CVSS 7.2 2026-03-05
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2428 - Fluent Forms Pro Add On Pack Plugin

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as "paid" and triggering post-payment automation (emails, access grants, digital product delivery).

PLUGIN Fluent Forms Pro Add On Pack

CVE-2026-2428

HIGH CVSS 7.5 2026-02-27
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0632 - Fluent Forms Pro Add On Pack Plugin

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.1.12 via the 'saveDataSource' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

PLUGIN Fluent Forms Pro Add On Pack

CVE-2026-0632

MEDIUM CVSS 5.4 2026-02-09
Open Full Technical Breakdown
Scroll to top