Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network-accessible REST endpoint, low complexity, contributor auth required (PR:L), integrity-only impact modifying form content with no code execution or data disclosure.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The FlowForms - Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.1 via the update_form due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to modify the content, design, and settings of, as well as publish or revert, any form on the site - including forms owned by administrators - by supplying an arbitrary form ID in the REST URL.
AnalysisAI
Insecure Direct Object Reference in the FlowForms - Conversational Form Builder WordPress plugin (all versions through 1.1.1) allows authenticated contributors to modify, publish, or revert any form on the site - including forms owned by administrators - by supplying an arbitrary form ID to the unvalidated REST API update_form endpoint. Wordfence reported this flaw, and a fix changeset exists in the WordPress plugin SVN repository, though an explicit patched release version is not independently confirmed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress user with at minimum contributor-level role access. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) yields a score of 4.3 (Medium), accurately capturing a network-accessible, low-complexity flaw gated by contributor-level authentication with integrity-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has registered or obtained a contributor-level WordPress account sends a crafted HTTP PATCH or PUT request to the FlowForms REST API update_form endpoint, substituting the form ID of an administrator-owned form in the URL path. Because the plugin performs no ownership validation, the request is processed, allowing the attacker to silently alter form fields, redirect submission endpoints, change design settings, or publish/revert the form - all without the administrator's knowledge. … |
| Remediation | A fix changeset is available in the WordPress plugin SVN repository at https://plugins.trac.wordpress.org/changeset?reponame=&old=3577870%40flowforms&new=3577870%40flowforms; however, no explicit patched release version number is confirmed from the available references, making this an upstream fix available via SVN commit with a released patched version not independently verified. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42847
GHSA-qcj5-mp4w-93gp