Skip to main content

FluentCRM EUVDEUVD-2026-31418

| CVE-2026-7798 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-22 Wordfence GHSA-pq4x-338r-cq3h
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 22, 2026 - 09:32 vuln.today

DescriptionCVE.org

The FluentCRM - Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.9.87 via the 'SubscribeURL' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires that the SES bounce handling key ('_fc_bounce_key') has never been stored (i.e., the site is in its default/unconfigured state with respect to SES bounce handling) as visiting the bounce configuration page auto-generates and stores a random key that causes the authentication check to evaluate correctly and reject unauthenticated requests.

AnalysisAI

Blind Server-Side Request Forgery in FluentCRM (WordPress plugin, all versions ≤2.9.87) allows unauthenticated remote attackers to coerce the web server into issuing arbitrary HTTP requests via the 'SubscribeURL' parameter in SES bounce handling. Exploitation is constrained to sites where the SES bounce handling key has never been initialized - a default state that persists until an administrator visits the bounce configuration page. Successfully exploited, this flaw can be used to probe and interact with internal services (cloud metadata endpoints, intranet APIs, adjacent containers), achieving limited but meaningful confidentiality and integrity impact across a changed scope. No public exploit or CISA KEV listing exists at time of analysis, though source code references expose the vulnerable code path directly.

Technical ContextAI

FluentCRM is a self-hosted CRM and email automation plugin for WordPress (CPE: cpe:2.3:a:techjewel:fluentcrm_-_email_newsletter,_automation,_email_marketing,_email_campaigns,_optins,_leads,_and_crm_solution:*:*:*:*:*:*:*:*). The vulnerability resides in ExternalPages.php (lines 85, 87, 113), which handles inbound AWS SES bounce/subscription notification webhooks. The handler accepts a user-supplied 'SubscribeURL' parameter and issues a server-side HTTP request to that URL without sufficient authentication enforcement when the '_fc_bounce_key' configuration key has not yet been initialized. CWE-918 (Server-Side Request Forgery) describes the root cause: user-controlled input is used as a URL target for a server-initiated request without allowlisting or origin validation. The changed scope (S:C in CVSS) reflects that the forged request can reach systems beyond the WordPress application boundary - internal network hosts, cloud provider metadata services (e.g., 169.254.169.254), or other containerized services - that the attacker could not reach directly.

RemediationAI

A fix has been committed to the FluentCRM plugin repository (WordPress.org changeset 3532271: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3532271%40fluent-crm&new=3532271%40fluent-crm), but the exact patched release version is not independently confirmed from available data - update to the latest version available in the WordPress plugin repository and verify via the changelog that changeset 3532271 is included. As an immediate compensating control, any administrator can neutralize the vulnerability by visiting the FluentCRM SES bounce configuration page, which auto-generates and stores the '_fc_bounce_key'; once stored, the authentication check correctly rejects unauthenticated requests to the bounce handler. Trade-off: this workaround is configuration-dependent and could be reversed if the key is manually cleared. Additionally, network-level egress filtering on the WordPress server to block requests to RFC-1918 addresses and cloud metadata endpoints (e.g., 169.254.169.254) will limit SSRF impact even if the handler remains reachable. The Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/5c3ca2d7-7af9-401f-bc5a-1796c6253cb0 should be monitored for patched version confirmation.

Share

EUVD-2026-31418 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy