Skip to main content

Fluent CRM CVE-2026-57715

| EUVDEUVD-2026-43370 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-delivered reflected XSS needs no attacker privileges but requires victim click (UI:R); scope change (S:C) into the browser context yields limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:46 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPManageNinja Fluent CRM fluent-crm allows Reflected XSS.This issue affects Fluent CRM: from n/a through <= 3.1.7.

AnalysisAI

Reflected cross-site scripting in the WPManageNinja Fluent CRM WordPress plugin (all versions through 3.1.7) lets a remote unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed (S:C), successful exploitation can affect resources beyond the vulnerable component, typically hijacking an authenticated WordPress admin session within the wp-admin context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft URL with XSS payload in Fluent CRM parameter
Delivery
Deliver link to authenticated admin
Exploit
Victim clicks, payload reflects into page
Execution
Script executes in wp-admin session
Impact
Hijack session / perform admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires victim interaction (CVSS UI:R): a target user must open an attacker-crafted request to the Fluent CRM component that reflects the payload - the description confirms this is Reflected XSS, not stored, so there is no persistent trigger and each attack must be delivered per-victim. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderate and mostly self-consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to the site's Fluent CRM endpoint containing a malicious script payload in a reflected parameter and sends it to a logged-in WordPress administrator via email or chat. When the admin opens the link, the payload reflects into the page and executes in their authenticated session, allowing the attacker to steal the session, perform admin actions, or plant further malicious content. …
Remediation Upgrade Fluent CRM to a version later than 3.1.7 as soon as the vendor publishes a fixed release; the input data does not include an exact patched version number, so no vendor-released fixed version can be independently confirmed at time of analysis - consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/fluent-crm/vulnerability/wordpress-fluent-crm-plugin-3-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve) and the WPManageNinja changelog for the corrected build. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, immediately disable or deactivate the WPManageNinja Fluent CRM plugin (all versions through 3.1.7) across all WordPress installations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57715 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy