The vulnerability in the Fluent Forms plugin for WordPress is an insecure direct object reference in its exportEntries function. A missing validation on the user‑controlled "table" key lets any authenticated user with manager‑level or higher permissions bypass form‑level restrictions, retrieve submissions from hidden forms, export data from arbitrary database tables, and enumerate table names via error messages. The result is unauthorized disclosure of potentially sensitive user data and full database visibility, which breaches confidentiality and can reveal personal or business information.

The flaw affects the TechJewel Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin in every version up to and including 6.2.0. Any WordPress site installing the plugin at these or earlier versions is vulnerable, provided the user has at least manager‑level access to the plugin.

The CVSS score of 8.2 marks the vulnerability as high severity. Although no EPSS score is available, the exploit requires only valid credentials with manager‑level permissions that are typically granted to site administrators or advanced collaborators, making the attack probability significant. The flaw is triggered through normal plugin usage and requires no special network exploitation, and it is not yet listed in CISA’s KEV catalog, indicating no known large‑scale exploitation. However, the absence of proper access checks and the ability to enumerate database tables give an attacker a direct pathway to sensitive data disclosure.