CVE-2026-0632 Overview
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in all versions up to, and including, 6.1.12 via the saveDataSource function. This vulnerability enables authenticated attackers with Subscriber-level access and above to make web requests to arbitrary locations originating from the web application. Attackers can leverage this flaw to query and modify information from internal services, potentially exposing sensitive infrastructure components.
Critical Impact
Authenticated attackers can exploit this SSRF vulnerability to access internal services, enumerate internal network resources, and potentially bypass firewall restrictions to interact with sensitive backend systems.
Affected Products
- Fluent Forms Pro Add On Pack plugin for WordPress versions up to and including 6.1.12
- WordPress installations running vulnerable Fluent Forms Pro Add On Pack versions
- Internal services accessible from the WordPress server
Discovery Timeline
- February 9, 2026 - CVE-2026-0632 published to NVD
- February 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-0632
Vulnerability Analysis
This Server-Side Request Forgery (SSRF) vulnerability (CWE-918) exists in the saveDataSource function of the Fluent Forms Pro Add On Pack plugin. The vulnerability allows authenticated users with minimal privileges (Subscriber-level access) to craft malicious requests that the server will execute on their behalf. Because the requests originate from the trusted web server, they can bypass network segmentation controls and access internal resources that would otherwise be unreachable from external networks.
The attack requires network access and low-privilege authentication, with no user interaction needed for exploitation. The vulnerability primarily impacts confidentiality and integrity of data accessible through internal services.
Root Cause
The root cause is insufficient validation and sanitization of user-supplied URLs within the saveDataSource function. The function fails to properly restrict the destinations of server-side HTTP requests, allowing attackers to specify arbitrary internal or external URLs. This lack of URL validation permits requests to internal services, cloud metadata endpoints, and other sensitive resources.
Attack Vector
The attack vector is network-based, requiring an authenticated session with at least Subscriber-level privileges. An attacker would craft a malicious request to the saveDataSource endpoint, specifying a target URL pointing to internal services such as localhost, internal IP ranges, or cloud metadata services (e.g., http://169.254.169.254/ on AWS). The WordPress server then makes the request on behalf of the attacker, returning the response data or allowing modifications to internal service configurations.
Common SSRF attack patterns applicable to this vulnerability include:
- Accessing cloud instance metadata endpoints to retrieve credentials
- Scanning internal network ranges to discover services
- Interacting with internal APIs and databases
- Bypassing IP-based access controls on internal services
Detection Methods for CVE-2026-0632
Indicators of Compromise
- Unusual outbound HTTP requests from the WordPress server to internal IP ranges (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints (169.254.169.254) originating from the web application
- Abnormal activity in WordPress audit logs related to the saveDataSource function
- Unexpected modifications to data source configurations within Fluent Forms
Detection Strategies
- Monitor web application firewall (WAF) logs for requests containing internal IP addresses or metadata endpoint URLs in POST parameters
- Implement egress filtering rules and alert on violations from the WordPress server
- Review WordPress plugin activity logs for suspicious saveDataSource function calls
- Deploy network intrusion detection signatures for SSRF attack patterns
Monitoring Recommendations
- Enable verbose logging for the Fluent Forms Pro plugin to capture all data source operations
- Configure SIEM alerts for outbound connections from web servers to internal network segments
- Monitor for failed authentication attempts followed by successful Subscriber-level logins
- Track unusual patterns in form submission and data source configuration changes
How to Mitigate CVE-2026-0632
Immediate Actions Required
- Update Fluent Forms Pro Add On Pack plugin to a version newer than 6.1.12 immediately
- Review user accounts with Subscriber-level access and above for suspicious activity
- Audit data source configurations for unauthorized modifications
- Implement network-level egress filtering to restrict outbound connections from the WordPress server
Patch Information
The vendor has released a security update addressing this vulnerability. Detailed information about the fix can be found in the Fluent Forms Changelog. For complete vulnerability details and remediation guidance, refer to the Wordfence Vulnerability Report.
Workarounds
- Restrict Subscriber-level user registrations until the patch is applied
- Implement a Web Application Firewall (WAF) rule to block requests containing internal IP addresses or metadata endpoints in form data
- Configure network-level controls to prevent the WordPress server from making requests to internal services
- Disable the Fluent Forms Pro Add On Pack plugin temporarily if patching is not immediately possible
# Configuration example - WordPress .htaccess SSRF mitigation
# Block access to saveDataSource endpoint for non-admin users
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} saveDataSource [NC]
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in.*administrator [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
