Fluentcrm – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, And Crm Solution
Approved changes feed: RSS · Atom
cpe:2.3:a:techjewel:fluentcrm_–_email_newsletter,_automation,_email_marketing,_email_campaigns,_optins,_leads,_and_crm_solution:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Techjewel (8c1c7a9c-9004-5a05-90f7-99f2e51aad2b) |
|---|---|
| Product | Fluentcrm – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, And Crm Solution (708a411a-4d35-509f-b855-85dfd4b1beb3) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-7798 |
vulnerable | 2026-06-08 08:08:57.690695 |
FluentCRM <= 2.9.87 - Unauthenticated Blind Server-Side Request Forgery via 'SubscribeURL' Parameter
MEDIUM (5.4)
The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.9.87 via the 'SubscribeURL' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires that the SES bounce handling key ('_fc_bounce_key') has never been stored (i.e., the site is in its default/unconfigured state with respect to SES bounce handling) as visiting the bounce configuration page auto-generates and stores a random key that causes the authentication check to evaluate correctly and reject unauthenticated requests.
Published: 2026-05-22T07:50:26.354Z
Updated: 2026-05-22T18:36:42.222Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12935 |
vulnerable | 2026-06-08 07:04:31.226369 |
FluentCRM - Marketing Automation For WordPress <= 2.9.84 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'fluentcrm_content' Shortcode
MEDIUM (6.4)
The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fluentcrm_content' shortcode in all versions up to, and including, 2.9.84 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-11-21T12:28:08.412Z
Updated: 2026-04-08T17:00:32.098Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-1430 |
vulnerable | 2026-06-08 05:52:35.906333 |
FluentCRM - Marketing Automation For WordPress <= 2.8.01 - Insufficient Use of Hash as Authorization Control
MEDIUM (6.5)
The FluentCRM - Marketing Automation For WordPress plugin for WordPress is vulnerable to unauthorized modification of data in versions up to, and including, 2.8.01 due to the use of an MD5 hash without a salt to control subscriptions. This makes it possible for unauthenticated attackers to unsubscribe users from lists and manage subscriptions, granted they gain access to any targeted subscribers email address.
Published: 2023-06-09T05:33:37.287Z
Updated: 2026-04-08T17:28:18.137Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.