Wordfence Threat Intelligence team responsibly disclosed a Cross-Site Request Forgery(CSRF) vulnerability in WP Fluent Forms, a WordPress plugin installed on over 80,000 sites. This vulnerability also allowed a stored Cross-Site Scripting(XSS) attack which, if successfully exploited, could be used to take over a site.
A patched version of the plugin, 3.6.67, was released on March 5, 2021
Source: https://www.wordfence.com/blog/2021/06/cross-site-request-forgery-patched-in-wp-fluent-forms