Skip to main content

FlowForms CVE-2026-12400

| EUVDEUVD-2026-42847 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-10 Wordfence GHSA-qcj5-mp4w-93gp
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible REST endpoint, low complexity, contributor auth required (PR:L), integrity-only impact modifying form content with no code execution or data disclosure.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 09:25 vuln.today
CVE Published
Jul 10, 2026 - 07:48 nvd
MEDIUM 4.3

DescriptionCVE.org

The FlowForms - Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.1 via the update_form due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to modify the content, design, and settings of, as well as publish or revert, any form on the site - including forms owned by administrators - by supplying an arbitrary form ID in the REST URL.

AnalysisAI

Insecure Direct Object Reference in the FlowForms - Conversational Form Builder WordPress plugin (all versions through 1.1.1) allows authenticated contributors to modify, publish, or revert any form on the site - including forms owned by administrators - by supplying an arbitrary form ID to the unvalidated REST API update_form endpoint. Wordfence reported this flaw, and a fix changeset exists in the WordPress plugin SVN repository, though an explicit patched release version is not independently confirmed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain contributor-level WordPress account
Delivery
Enumerate or guess target form IDs via REST API
Exploit
Craft update_form REST request with victim form ID
Execution
Submit request bypassing authorization check
Impact
Modify or publish administrator-owned form content

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress user with at minimum contributor-level role access. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) yields a score of 4.3 (Medium), accurately capturing a network-accessible, low-complexity flaw gated by contributor-level authentication with integrity-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has registered or obtained a contributor-level WordPress account sends a crafted HTTP PATCH or PUT request to the FlowForms REST API update_form endpoint, substituting the form ID of an administrator-owned form in the URL path. Because the plugin performs no ownership validation, the request is processed, allowing the attacker to silently alter form fields, redirect submission endpoints, change design settings, or publish/revert the form - all without the administrator's knowledge. …
Remediation A fix changeset is available in the WordPress plugin SVN repository at https://plugins.trac.wordpress.org/changeset?reponame=&old=3577870%40flowforms&new=3577870%40flowforms; however, no explicit patched release version number is confirmed from the available references, making this an upstream fix available via SVN commit with a released patched version not independently verified. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12400 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy