CVE-2025-3615: 
WordPress vulnerability analysis and mitigation

The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the form-submission.js script in versions up to and including 6.0.2. The vulnerability was discovered and disclosed on April 17, 2025, and has been assigned CVE-2025-3615. The issue affects the WordPress plugin Fluent Forms, which is a popular form builder solution (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the form-submission.js script. This security flaw allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating a network-accessible vulnerability with low attack complexity requiring low privileges (NVD).

When exploited, this vulnerability allows attackers to inject malicious web scripts that execute whenever a user accesses an affected page. This can lead to potential client-side attacks, data theft, and session hijacking. The stored nature of the XSS makes it particularly dangerous as the malicious scripts persist in the database and execute for any user viewing the compromised page (NVD).

The vulnerability has been patched in version 6.0.3 of the Fluent Forms plugin. Site administrators are strongly advised to update to this version immediately. The update includes fixes for the Cross-Site Scripting vulnerability along with other improvements (WordPress Plugin).