Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
AC:H reflects the non-default configuration prerequisite (restricted Manager must exist); PR:H confirmed by Manager role requirement; I:L for permanent deletion of records; C and A remain N.
Primary rating from Vendor (wpscan).
CVSS VectorVendor: wpscan
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
The Fluent Forms WordPress plugin before 6.2.5 does not properly restrict the deletion of form submission entries to the forms a restricted Manager is authorized to manage, allowing a Manager limited to specific forms to permanently delete submission entries belonging to other forms. This requires a non-default configuration in which an administrator has created at least one Manager restricted to specific forms.
AnalysisAI
Broken access control in Fluent Forms WordPress plugin before 6.2.5 allows a restricted Manager role to permanently delete form submission entries belonging to forms outside their authorized scope. The flaw stems from missing authorization checks on the deletion endpoint, which fails to verify that the target submission belongs to a form the Manager is permitted to administer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two prerequisites that together represent a non-default configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 2.7 (Low) reflects the constrained impact surface accurately. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A restricted Manager authenticates to the WordPress admin panel and, rather than navigating to their authorized forms, crafts a direct HTTP request to the submission deletion endpoint supplying the ID of a submission entry belonging to a form they are not permitted to manage. Because the plugin does not re-check form ownership at deletion time, the request succeeds and the submission is permanently destroyed. … |
| Remediation | Upgrade Fluent Forms to version 6.2.5 or later, which is the vendor-released patch per the advisory at https://wpscan.com/vulnerability/3937e20f-dd46-4c2e-b170-d5e5c254b8d2/ and NVD entry https://nvd.nist.gov/vuln/detail/CVE-2026-11578. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41253
GHSA-4j65-fp5w-8p9m