Description
Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentBoards: from n/a through <= 1.91.2.
Published: 2026-04-15
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass via IDOR
Action: Immediate patch
AI Analysis

Impact

WordPress plugin FluentBoards suffers from an Insecure Direct Object Reference (IDOR) flaw that allows an attacker to bypass authorization controls by supplying a user‑controlled key. This leads to unauthorized access to, edit, or delete resources such as boards, tasks, or other object types governed by the plugin. The weakness is classified as CWE‑639.

Affected Systems

Affected is the FluentBoards plugin for WordPress, authored by Mahmudul Hasan Arif. All releases up to and including version 1.91.2 are vulnerable. No specific patch version is listed in the CNA data.

Risk and Exploitability

Given that the EPSS score is not available and the vulnerability is not listed in CISA KEV, the risk remains unquantified; however, exploitation requires only moderate effort. Based on the description, it is inferred that an attacker can construct requests with guessed or enumerated object identifiers to read or manipulate protected data. The likely attack vector is remote via the web, assuming the attacker can access the WordPress site. No evidence of active exploitation is reported, but the flaw enables privilege escalation within the WordPress installation.

Generated by OpenCVE AI on April 15, 2026 at 11:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FluentBoards to the latest released version (>= 1.91.3) which removes the IDOR flaw
  • Disable or uninstall FluentBoards if it is not required for site functionality
  • Configure WordPress and the plugin to enforce strict role‑based access controls, ensuring that all object identifiers are validated server‑side against the requesting user’s permissions

Generated by OpenCVE AI on April 15, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mahmudul Hasan Arif
Mahmudul Hasan Arif fluentboards
Wordpress
Wordpress wordpress
Vendors & Products Mahmudul Hasan Arif
Mahmudul Hasan Arif fluentboards
Wordpress
Wordpress wordpress

Wed, 15 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentBoards: from n/a through <= 1.91.2.
Title WordPress FluentBoards plugin <= 1.91.2 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References

Subscriptions

Mahmudul Hasan Arif Fluentboards
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-15T15:43:56.980Z

Reserved: 2026-04-15T09:20:42.117Z

Link: CVE-2026-40784

cve-icon Vulnrichment

Updated: 2026-04-15T15:43:28.450Z

cve-icon NVD

Status : Received

Published: 2026-04-15T11:16:37.030

Modified: 2026-04-15T16:16:38.833

Link: CVE-2026-40784

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:52:57Z

Weaknesses