Sites running the FluentForm plugin should update immediately after Patchstack disclosed a broken access control vulnerability in the plugin — a class of flaw that attackers routinely exploit in automated, large-scale campaigns targeting thousands of WordPress sites at once.

The vulnerability was published on 9 July 2026 and carries a low severity rating on the CVSS (Common Vulnerability Scoring System) scale, a standardised framework used to rank security flaws. While that rating suggests limited risk on its own, Patchstack notes that broken access control issues are a frequent target of mass-exploit tooling, meaning even low-severity flaws get picked up by automated scanners.

A heavy steel vault door stands ajar, with locking bolts extended and a hand resting on its edge.

FluentForm Security Flaw Fixed in Version 6.2.2

The flaw itself stems from a missing authorisation or nonce check — a nonce is a one-time security token WordPress uses to verify that a request is legitimate — inside a function that an unprivileged user could trigger to perform an action normally reserved for higher-level users such as administrators. The fix is straightforward:

  • Update FluentForm to version 6.2.2 or later through your WordPress dashboard
  • If you cannot update yourself, contact your hosting provider or a WordPress developer for assistance

Agencies and freelancers managing multiple client sites should prioritise this update across all managed sites. The combination of a public disclosure and mass-exploit tooling means the window between a vulnerability becoming known and attackers scanning for it is often very short. Sites that run unpatched versions of FluentForm — a widely used form-builder plugin — are the most exposed.

Broken access control vulnerabilities consistently appear among the most commonly reported WordPress plugin flaws, precisely because a single missing check in the code is easy to overlook during development but straightforward to exploit once discovered. Version 6.2.2 addresses the flaw.