Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-delivered reflected XSS needs no attacker privileges but requires victim click (UI:R); scope change (S:C) into the browser context yields limited C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPManageNinja Fluent CRM fluent-crm allows Reflected XSS.This issue affects Fluent CRM: from n/a through <= 3.1.7.
AnalysisAI
Reflected cross-site scripting in the WPManageNinja Fluent CRM WordPress plugin (all versions through 3.1.7) lets a remote unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed (S:C), successful exploitation can affect resources beyond the vulnerable component, typically hijacking an authenticated WordPress admin session within the wp-admin context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires victim interaction (CVSS UI:R): a target user must open an attacker-crafted request to the Fluent CRM component that reflects the payload - the description confirms this is Reflected XSS, not stored, so there is no persistent trigger and each attack must be delivered per-victim. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are moderate and mostly self-consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL to the site's Fluent CRM endpoint containing a malicious script payload in a reflected parameter and sends it to a logged-in WordPress administrator via email or chat. When the admin opens the link, the payload reflects into the page and executes in their authenticated session, allowing the attacker to steal the session, perform admin actions, or plant further malicious content. … |
| Remediation | Upgrade Fluent CRM to a version later than 3.1.7 as soon as the vendor publishes a fixed release; the input data does not include an exact patched version number, so no vendor-released fixed version can be independently confirmed at time of analysis - consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/fluent-crm/vulnerability/wordpress-fluent-crm-plugin-3-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve) and the WPManageNinja changelog for the corrected build. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, immediately disable or deactivate the WPManageNinja Fluent CRM plugin (all versions through 3.1.7) across all WordPress installations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43370