Skip to main content

Fluent Forms CVE-2026-5395

| EUVDEUVD-2026-30250 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-14 Wordfence GHSA-2q4q-jqhc-8rg8
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 08:44 vuln.today
CVE Published
May 14, 2026 - 06:44 nvd
HIGH 8.2

DescriptionCVE.org

The Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Fluent Forms manager-level access and above, to bypass form-level access restrictions to access submissions from forms they are not authorized to view, export data from arbitrary database tables, and enumerate database table names via error message disclosure.

AnalysisAI

Insecure Direct Object Reference in the WordPress Fluent Forms plugin (versions through 6.2.0) allows authenticated users with Fluent Forms manager-level privileges to bypass form-level access controls via the exportEntries function. Attackers can exfiltrate submissions from forms they should not access, export data from arbitrary database tables, and enumerate table names through error message disclosure. No public exploit identified at time of analysis, and EPSS probability is very low (0.03%) despite the high CVSS score.

Technical ContextAI

Fluent Forms is a popular WordPress plugin by TechJewel used for building contact forms, surveys, quizzes, and conversational forms, with role-based access controls that restrict which managers can view which form submissions. The root cause maps to CWE-639 (Authorization Bypass Through User-Controlled Key): the exportEntries function in app/Services/Transfer/TransferService.php accepts a user-supplied key identifying the target resource without verifying that the requesting user is authorized for it. Because the parameter is trusted, an attacker can substitute identifiers pointing to other forms - or, more broadly, to arbitrary database tables - turning a scoped export feature into a generic data exfiltration primitive. Database error messages leaked through the export path additionally reveal table names, enabling reconnaissance of the underlying schema.

RemediationAI

Upstream fix available (commit/changeset 3507987 in plugins.trac.wordpress.org/changeset/3507987/fluentform/trunk/app/Services/Transfer/TransferService.php); a tagged patched release version above 6.2.0 is not independently confirmed from the provided data, so administrators should upgrade Fluent Forms to the latest available version released after this changeset and verify against the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd12b8a-2033-4236-abcd-2a8d08e7f099. As compensating controls until upgrade, revoke or tightly restrict the Fluent Forms manager capability to a minimum set of fully-trusted administrators (trade-off: legitimate form managers lose entry-export workflows), disable or block access to the entries export endpoint via a WAF rule or .htaccess restriction on the wp-admin Fluent Forms transfer/export routes (trade-off: breaks data-export functionality for all users), and review WordPress audit logs for unexpected export activity by manager-role accounts.

Share

CVE-2026-5395 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy