PLUGIN SECURITY
Is Fluentform safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the Fluentform WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
fluentform - Requires PHP: 7.4+
- Max supported PHP (analyzed): <8.0
Known vulnerabilities
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 3.6.67 [CVE-2021-34620, WordPress Contact Form Plugin by Fluent Forms <= 3.6.65 - Cross-Site Request Forgery (CSRF) vulnerability leading to stored Cross-Site Scripting (XSS), WP Fluent Forms < 3.6.67 - Stored Cross-Site Scripting, WP Fluent Forms < 3.6.67 - Cross-Site Request Forgery (CSRF)]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 4.3.13 [CVE-2022-3463, WordPress FluentForm plugin <= 4.3.12 - CSV Injection vulnerability, Contact Form Plugin by FluentForm <= 4.3.12 - CSV Injection, FluentForm < 4.3.13 - CSV Injection]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 4.3.25 [CVE-2023-0546, WordPress FluentForm Plugin < 4.3.25 is vulnerable to Cross Site Scripting (XSS), FluentForms <= 4.3.24 - Authenticated(Contributor+) Stored Cross-Site Scripting, FluentForms < 4.3.25 - Contributor+ Stored XSS via Custom HTML Form Field]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.0.0 [CVE-2023-24410, WordPress FluentForm Plugin <= 4.3.25 is vulnerable to SQL Injection, FluentForm <= 4.3.25 - Authenticated (Administrator+) SQL Injection, FluentForm < 5.0.0 - SQL Injection]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.0.9 [Contact Form for Plugin by Fluent Forms <= 5.0.8 - Insecure Direct Object Reference]
+ 34 more known vulnerabilities
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.0.9 [CVE-2023-41952, WordPress FluentForm Plugin <= 5.0.8 is vulnerable to Broken Access Control, Contact Form for Plugin by Fluent Forms < 5.0.9 - Insecure Direct Object Reference]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.1.7 [Fluent Forms <= 5.1.5 - Authenticated(Administrator+) Stored Cross-Site Scripting via imported form title]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.1.7 [WordPress FluentForm Plugin <= 5.1.5 is vulnerable to Cross Site Scripting (XSS)]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.1.7 [CVE-2024-0618, Fluent Forms < 5.1.7 - Admin+ Stored Cross-Site Scripting via imported form title]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.1.10 [CVE-2023-6957, Fluent Forms <= 5.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting, WordPress FluentForm Plugin <= 5.1.9 is vulnerable to Cross Site Scripting (XSS), Fluent Forms < 5.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.1.17 [CVE-2024-2782, Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.16 - Missing Authorization to Setting Manipulation, WordPress FluentForm Plugin <= 5.1.16 is vulnerable to Broken Access Control]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.1.17 [CVE-2024-2771, Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.16 - Missing Authorization to Settings Update and Limited Privilege Escalation, WordPress FluentForm Plugin <= 5.1.16 is vulnerable to Privilege Escalation]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.1.14 [CVE-2024-2772, Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.13 - Authenticated (Subscriber+) Stored Cross-Site Scripting, WordPress FluentForm Plugin <= 5.1.13 is vulnerable to Cross Site Scripting (XSS)]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.1.17 [CVE-2024-4709, Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.16 - Authenticated (Contributor+) Stored Cross-Site Scripting, WordPress FluentForm Plugin <= 5.1.16 is vulnerable to Cross Site Scripting (XSS)]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.1.16 [CVE-2024-4157, Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.15 - PHP Object Injection via extractDynamicValues, WordPress FluentForm Plugin <= 5.1.15 is vulnerable to PHP Object Injection]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.1.20 [CVE-2024-6520, Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.19 - Authenticated (Administrator+) Stored Cross-Site Scripting, WordPress FluentForm Plugin <= 5.1.19 is vulnerable to Cross Site Scripting (XSS)]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.1.20 [CVE-2024-6703, Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.19 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Welcome Screen Fields]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.1.20 [CVE-2024-6518, Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.19 - Authenticated (Administrator+) Stored Cross-Site Scripting]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.1.20 [CVE-2024-6521, Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.19 - Authenticated (Administrator+) Stored Cross-Site Scripting]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.1.19 [CVE-2024-5053, Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.18 - Missing Authorization to Authenticated (Subscriber+) Mailchimp Integration Modification, WordPress FluentForm Plugin <= 5.1.18 is vulnerable to Broken Access Control]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.1.20 [CVE-2024-9528, Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.19 - Authenticated (Form Manager+) Stored Cross-Site Scripting, WordPress FluentForm Plugin <= 5.1.19 is vulnerable to Cross Site Scripting (XSS)]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.2.1 [CVE-2024-9651, Fluent Forms <= 5.2.0 - Authenticated (Admin+) Stored Cross-Site Scripting, WordPress FluentForm Plugin < 5.2.1 is vulnerable to Cross Site Scripting (XSS)]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 5.2.7 [CVE-2024-10646, Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.2.6 - Unauthenticated Stored Cross-Site Scripting via Form Subject]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.0.0 [CVE-2024-13666, Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 5.2.12 - IP-Spoofing, EUVD-2025-7183]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.0.3 [CVE-2025-3615, Fluent Forms <= 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting, EUVD-2025-11513]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.1.8 [CVE-2025-13748, Fluent Forms <= 6.1.7 - Unauthenticated Insecure Direct Object Reference to Payment Status Tampering via submission_id, EUVD-2025-201540]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.1.8 [CVE-2025-13722, Fluent Forms <= 6.1.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Creation via AI Builder]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.1.12 [CVE-2025-69001, FluentForm <= 6.1.11 - Unauthenticated Arbitrary Shortcode Execution]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.1.15 [CVE-2026-25313, Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.14 - Missing Authorization]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.1.15 [CVE-2026-0996, Fluent Forms <= 6.1.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via AI Form Builder Module]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.2.0 [CVE-2026-4160, Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification, EUVD-2026-23237]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.1.2 [Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder 5.1.16 - 6.1.1 - Authenticated (Subscriber+) PHP Object Injection To Arbitrary File Read, Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder 5.1.16 - 6.1.1 - Authenticated (Subscriber+) PHP Object Injection To Arbitrary File Read, EUVD-2025-26623]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.2.2 [CVE-2026-6344, Fluent Forms <= 6.2.1 - Authenticated (Administrator+) Arbitrary File Read via Path Traversal in Email Attachment]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.2.2 [CVE-2026-6828, Fluent Forms <= 6.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'permission_message' Shortcode Attribute]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.2.0 [CVE-2026-5396, Fluent Forms <= 6.1.21 - Authenticated (Subscriber+) Authorization Bypass via 'form_id' Parameter]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.2.1 [CVE-2026-5395, Fluent Forms <= 6.2.0 - Authenticated (Subscriber+) Authorization Bypass via 'table' Parameter]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.2.1 [CVE-2026-11880]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.2.5 [CVE-2026-11578]
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.2.2 [CVE-2026-5069, Fluent Forms <= 6.2.1 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Subscription Cancellation via 'subscription_id']
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- Contact Form 7 — 10000000+ active installs — max PHP 8.4
- Akismet Anti-spam: Spam Protection — 6000000+ active installs — max PHP 8.4
- WPForms – AI Form Builder for WordPress – Contact Forms, Payment Forms, Survey Form, Quiz & More — 5000000+ active installs
- Forminator Forms – Contact Form, Payment Form & Custom Form Builder — 600000+ active installs
- Ninja Forms – The Contact Form Builder That Grows With You — 600000+ active installs
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.