WordPress Security Bulletin: Fluent Forms Pro Add On Pack Plugin Vulnerability (CVE-2026-0632)

Security Alert Summary

The Fluent Forms Pro Add On Pack plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability in the saveDataSource function. Authenticated users with Subscriber-level access and above can cause the application to make network requests to arbitrary locations, which may allow querying or modifying information on internal services.

CVE Details

• CVE ID: CVE-2026-0632
• Affected component: The Fluent Forms Pro Add On Pack plugin for WordPress
• Affected versions: All versions up to, and including, 6.1.12 (as stated in the CVE entry)
• Published: February 9, 2026 at 12:15:57 PM UTC
• Last modified: February 9, 2026 at 4:08:35 PM UTC
• CVSS v3.1: Base Score 5.4, MEDIUM; Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
• Authentication / Privileges / User interaction: Requires an authenticated user (description: authenticated attackers with Subscriber-level access and above). CVSS: Privileges Required: Low (PR:L); User Interaction: None (UI:N).
• Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
• CWE / weakness: CWE-918 (Server-Side Request Forgery)

Technical Details

The vulnerability is a Server-Side Request Forgery (SSRF) present in the plugin’s saveDataSource function. According to the CVE description, the saveDataSource function can be abused by authenticated users (Subscriber-level and above) to trigger the web application to make HTTP requests to arbitrary locations.

Because the issue allows requests to be originated from the web application itself, an attacker can use it to interact with internal services that are otherwise not directly reachable from the internet. The CVE entry states these requests can be used to query and modify information from internal services.

This description does not specify exact endpoints beyond the named function, nor does it state whether a patch or fixed version is available.

How This Could Impact Your Website

Consider a small organization where the site owner manages plugins, an internal editor publishes content, and an external contractor occasionally submits form integrations. If a user with Subscriber-level access or higher exploits this SSRF, they could cause the site to make requests to internal services (for example, internal APIs, metadata endpoints, or cloud provider metadata). Practical consequences include limited information disclosure from internal endpoints or unauthorized interactions with internal services that expose configuration or service data.

Even if the immediate impact is limited (CVSS indicates Low confidentiality and integrity impact), the information exposed or modified via internal requests can aid further reconnaissance and targeted social engineering. For example, knowledge of internal API endpoints or service responses can improve the success of phishing or credential-targeting attempts.

If you99re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially Contributor/Author-level and Subscriber accounts that have elevated integrations.
• Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
• Remove unused or unmaintained plugins to reduce your attack surface.
• Monitor site activity and logs for unusual outbound requests or unexpected changes to integrations.

If you99d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://fluentforms.com/docs/changelog/
• https://www.wordfence.com/threat-intel/vulnerabilities/id/fd3bf470-f966-454d-8df3-0dec4682e883?source=cve