FluentCRM XSS Vulnerability (CVE-2025-12935): Understanding and Mitigation

Overview

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress. Designated as CVE-2025-12935, this vulnerability affects all versions up to and including 2.9.84. It allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into WordPress pages. This injected code can then execute whenever a user views the affected page, potentially leading to account compromise, data theft, or other malicious activities.

Technical Details

The vulnerability stems from insufficient input sanitization and output escaping of user-supplied attributes within the fluentcrm_content shortcode. Specifically, the plugin fails to properly sanitize and escape user input before rendering it on the page. This allows an attacker to inject arbitrary web scripts using crafted shortcode attributes.

The vulnerable code can be traced back to the following files within the FluentCRM plugin (version 2.9.84):

• app/Hooks/Handlers/PrefFormHandler.php (potentially related, see plugins.trac.wordpress.org)
• app/Hooks/actions.php (potentially related, see plugins.trac.wordpress.org)

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) assigns this vulnerability a score of 6.4 (Medium). This score reflects the potential impact of the vulnerability, which includes:

• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): Low (L)
• User Interaction (UI): Required (R)
• Scope (S): Changed (C)
• Confidentiality Impact (CI): Low (L)
• Integrity Impact (II): Low (L)
• Availability Impact (AI): None (N)

While the attacker requires authentication (low privileges) and user interaction is necessary for the script to execute, the potential to execute code in the context of another user significantly increases the severity.

Possible Impact

Successful exploitation of this XSS vulnerability could have the following consequences:

• Account Takeover: An attacker could steal a user’s session cookie and gain unauthorized access to their account.
• Data Theft: Sensitive information, such as personal details or CRM data, could be exfiltrated.
• Malicious Redirection: Users could be redirected to phishing websites or other malicious domains.
• Website Defacement: An attacker could modify the content of the affected page.
• Administrative Access: In the event of an administrator accessing a page with a malicious script, the attacker could potentially gain administrative access to the WordPress site.

Mitigation and Patch Steps

The recommended mitigation step is to update the FluentCRM plugin to the latest version. The vulnerability has been patched in versions released after 2.9.84.

You can update the plugin directly from your WordPress dashboard by navigating to the “Plugins” section and clicking “Update” next to FluentCRM. Ensure you are running the latest version to protect your website.

According to WordPress.org, the changeset 3399640 addresses the vulnerability.

References

• CVE ID: CVE-2025-12935
• Wordfence Threat Intelligence: wordfence.com
• FluentCRM Plugin Trac: plugins.trac.wordpress.org
• FluentCRM Plugin Changeset: plugins.trac.wordpress.org