PT-2026-40870 · WordPress · Fluent Forms

Sander Horsman

·

Published

2026-05-14

·

Updated

2026-05-14

·

CVE-2026-5396

CVSS v3.1

8.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Name of the Vulnerable Software and Affected Versions Fluent Forms versions prior to 6.1.22
Description An authorization bypass exists in the SubmissionPolicy class, which authorizes submission-level actions such as reading, modifying, deleting, and adding notes based on a user-supplied form id query parameter. Authenticated attackers with Fluent Forms Manager access restricted to specific forms can spoof the form id parameter to access, modify the status of, add notes to, or permanently delete form submissions belonging to any other form.
Recommendations Update to version 6.1.22 or later.

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-5396

Affected Products

Fluent Forms