Skip to main content

Flowforms Conversational Form Builder

1 CVEs product

Monthly

CVE-2026-12400 MEDIUM This Month

Insecure Direct Object Reference in the FlowForms - Conversational Form Builder WordPress plugin (all versions through 1.1.1) allows authenticated contributors to modify, publish, or revert any form on the site - including forms owned by administrators - by supplying an arbitrary form ID to the unvalidated REST API update_form endpoint. Wordfence reported this flaw, and a fix changeset exists in the WordPress plugin SVN repository, though an explicit patched release version is not independently confirmed. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass WordPress Flowforms Conversational Form Builder
NVD
CVSS 3.1
4.3
EPSS
0.2%
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in the FlowForms - Conversational Form Builder WordPress plugin (all versions through 1.1.1) allows authenticated contributors to modify, publish, or revert any form on the site - including forms owned by administrators - by supplying an arbitrary form ID to the unvalidated REST API update_form endpoint. Wordfence reported this flaw, and a fix changeset exists in the WordPress plugin SVN repository, though an explicit patched release version is not independently confirmed. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass WordPress Flowforms Conversational Form Builder
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy