Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, modify, delete, add notes) based on a user-supplied form_id query parameter. This makes it possible for authenticated attackers, with Fluent Forms Manager access restricted to specific forms, to read, modify status, add notes to, and permanently delete form submissions belonging to any other form by spoofing the form_id parameter to a form they are authorized for.
AnalysisAI
Authorization bypass in the Fluent Forms WordPress plugin (versions ≤6.1.21) allows authenticated Fluent Forms Managers to read, modify, annotate, and delete submissions belonging to forms outside their assigned scope by tampering with a user-controlled form_id query parameter. The flaw stems from the SubmissionPolicy class trusting client-supplied input for authorization decisions, granting cross-form access despite role restrictions. No public exploit identified at time of analysis, and EPSS exploitation probability remains low at 0.03%.
Technical ContextAI
Fluent Forms is a popular WordPress contact/survey form plugin that provides a delegated administration model via 'Fluent Forms Manager' role permissions, which can be scoped to specific forms. The vulnerability is rooted in CWE-639 (Authorization Bypass Through User-Controlled Key): the SubmissionPolicy class in app/Http/Policies/SubmissionPolicy.php evaluates whether a caller may act on a submission by reading the form_id directly from the request query string rather than deriving it from the actual submission record or validating it against the manager's assigned form scope. Because the authorization check trusts attacker-controlled input as the resource identifier, supplying any form_id the attacker is authorized for satisfies the policy while the underlying operation still targets submissions tied to a different form_id in the database.
RemediationAI
Upgrade the Fluent Forms plugin to version 6.2.0 or later, which contains the corrected SubmissionPolicy authorization logic per the Plugin Trac changeset linked above and the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/81aad41e-0330-4dff-a5f8-08a108d724f5). Where immediate upgrade is not possible, revoke the Fluent Forms Manager role from any untrusted or externally delegated accounts so that only fully trusted administrators retain submission access - this eliminates the exploitation prerequisite at the cost of removing per-form delegation. As an additional compensating control, audit the wp_fluentform_submissions and related tables for unexpected status changes, added notes, or recent deletions to detect prior misuse, since the vulnerability supports a destructive (delete) operation that the integrity-low CVSS rating understates for environments where submission records are the system of record. Refer also to the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-5396 for tracking.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30232
GHSA-px32-v334-cgrw