External risk intelligence

WordPress plugin allows attackers to access internal company information.

CVE advisorySeverity: MEDIUM (CVSS 5.4)

CVE-2026-7798

The FluentCRM WordPress plugin has a vulnerability allowing unauthenticated attackers to make your website request other systems, potentially exposing internal information if certain email settings are not configured.

4Halo Surface Signal

Server-Side Request Forgery

External exposure likelihood

Halo Surface Signal score for CVE-2026-7798

The vulnerability affects a WordPress plugin, which is commonly deployed as part of an internet-facing web application. Unauthenticated external HTTP requests can reach the affected subscription handling endpoint directly in standard web deployments.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Horizon Alert

Summary of the vulnerability and why it matters

This issue affects the FluentCRM WordPress plugin, allowing an attacker to make requests from your web application to other systems. This could potentially expose or alter sensitive information if the plugin is not configured for certain email bounce handling features.

  • Can query internal services.
  • Requires unconfigured bounce handling.
  • Affects unauthenticated users.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability to trick the WordPress site into making requests to internal or external servers. This could be used to scan internal networks, exfiltrate data from internal services, or trigger actions on other systems by leveraging the vulnerable WordPress site as a proxy. Exploitation is only possible if the site has not yet configured SES bounce handling.

  • Unauthenticated access required.
  • Vulnerable: SubscribeURL parameter.
  • Default/unconfigured SES bounce handling.

Live Threat

Current exploitation, exposure, and threat context

Attackers are unlikely to prioritize this vulnerability due to its specific configuration requirements. Successful exploitation hinges on the SES bounce handling key never having been configured, a state that changes as soon as the bounce configuration page is visited. This makes the window of opportunity narrow and the vulnerability less appealing for broad exploitation.

  • Unauthenticated SSRF
  • WordPress plugin vulnerability
  • Exploitation requires unconfigured state

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize verifying that the 'SES bounce handling key' has been configured in FluentCRM to prevent exploitation. If not configured, investigate and potentially disable the bounce handling feature or upgrade to a version that addresses this Blind SSRF vulnerability. Monitor network traffic for any unusual outbound requests originating from your WordPress instances.

  • Configure the bounce handling key.
  • Block outbound requests to internal services.
  • Monitor for unauthorized network activity.

Frequently asked questions

What is the purpose of the FluentCRM WordPress plugin?

FluentCRM is a WordPress plugin designed for managing email newsletters, marketing automation, campaigns, lead capture through opt-in forms, and customer relationship management directly within a WordPress site.

How does CVE-2026-7798 enable attackers to access internal information?

CVE-2026-7798 is a Blind Server-Side Request Forgery (SSRF) vulnerability. It allows unauthenticated attackers to trick the WordPress site into sending web requests to arbitrary locations, potentially querying or modifying data from internal services.

What weakness class is associated with CVE-2026-7798?

The weakness class associated with CVE-2026-7798 is CWE-918, which relates to Server-Side Request Forgery (SSRF).

What is required for an attacker to exploit CVE-2026-7798?

Exploitation requires that the SES bounce handling key ('_fc_bounce_key') has never been stored, meaning the site is in its default, unconfigured state for SES bounce handling. Visiting the bounce configuration page auto-generates and stores this key, preventing unauthenticated requests.

What is the recommended operational fix for CVE-2026-7798?

The recommended fix is to prioritize verifying that the 'SES bounce handling key' has been configured in FluentCRM. If it is not configured, consider disabling the bounce handling feature or upgrading to a patched version of the plugin. Monitoring network traffic for unusual outbound requests is also advised.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished