Skip to main content

Fluent Forms Customizable Contact Forms Survey Quiz Conversational Form Builder

2 CVEs product

Monthly

CVE-2026-5069 MEDIUM This Month

Incorrect authorization in the Fluent Forms WordPress plugin (versions up to and including 6.2.1) enables any authenticated subscriber-level user to cancel payment subscriptions belonging to other users by supplying an arbitrary 'subscription_id' in the payment cancellation AJAX endpoint. The payment cancellation flow performs no ownership check - only that the user is authenticated - making this a classic IDOR (Insecure Direct Object Reference) under CWE-863. No public exploit code has been identified at time of analysis, and the flaw is not listed in CISA KEV, but the low bar for exploitation (any registered site account) raises practical risk for sites using Fluent Forms payment/subscription features.

Authentication Bypass WordPress Fluent Forms Customizable Contact Forms Survey Quiz Conversational Form Builder
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-5395 HIGH This Week

Insecure Direct Object Reference in the WordPress Fluent Forms plugin (versions through 6.2.0) allows authenticated users with Fluent Forms manager-level privileges to bypass form-level access controls via the exportEntries function. Attackers can exfiltrate submissions from forms they should not access, export data from arbitrary database tables, and enumerate table names through error message disclosure. No public exploit identified at time of analysis, and EPSS probability is very low (0.03%) despite the high CVSS score.

Authentication Bypass WordPress Fluent Forms Customizable Contact Forms Survey Quiz Conversational Form Builder
NVD
CVSS 3.1
8.2
EPSS
0.0%
EPSS 0% CVSS 5.4
MEDIUM This Month

Incorrect authorization in the Fluent Forms WordPress plugin (versions up to and including 6.2.1) enables any authenticated subscriber-level user to cancel payment subscriptions belonging to other users by supplying an arbitrary 'subscription_id' in the payment cancellation AJAX endpoint. The payment cancellation flow performs no ownership check - only that the user is authenticated - making this a classic IDOR (Insecure Direct Object Reference) under CWE-863. No public exploit code has been identified at time of analysis, and the flaw is not listed in CISA KEV, but the low bar for exploitation (any registered site account) raises practical risk for sites using Fluent Forms payment/subscription features.

Authentication Bypass WordPress Fluent Forms Customizable Contact Forms Survey Quiz Conversational Form Builder
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Insecure Direct Object Reference in the WordPress Fluent Forms plugin (versions through 6.2.0) allows authenticated users with Fluent Forms manager-level privileges to bypass form-level access controls via the exportEntries function. Attackers can exfiltrate submissions from forms they should not access, export data from arbitrary database tables, and enumerate table names through error message disclosure. No public exploit identified at time of analysis, and EPSS probability is very low (0.03%) despite the high CVSS score.

Authentication Bypass WordPress Fluent Forms Customizable Contact Forms Survey Quiz Conversational Form Builder
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy