Description
The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, modify, delete, add notes) based on a user-supplied `form_id` query parameter. This makes it possible for authenticated attackers, with Fluent Forms Manager access restricted to specific forms, to read, modify status, add notes to, and permanently delete form submissions belonging to any other form by spoofing the form_id parameter to a form they are authorized for.
Published: 2026-05-14
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Fluent Forms plugin allows an attacker with an authenticated user account that has Fluent Forms Manager access, but limited to a subset of forms, to bypass authorization checks by supplying a forged form_id in the request. The SubmissionPolicy class incorrectly authorizes submission-level actions (read, modify status, add notes, and permanently delete) based solely on the user-supplied form_id parameter. Consequently, the attacker can view, alter, annotate, and delete submissions that belong to any other form for which they are not authorized, leading to a breach of confidentiality and integrity of user data.

Affected Systems

vulnerable systems are WordPress sites running the techjewel Fluent Forms plugin version 6.1.21 or earlier. Any site that has installed an affected release is at risk until it receives an update to 6.2.0 or later.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity. While EPSS information is not available, the lack of a KEV listing suggests no current large-scale exploitation reports, but the authenticated nature of the attack means that site administrators should not underestimate the risk. The attack vector, inferred from the description, is an authenticated POST or GET request that manipulates the form_id query parameter; no additional privileges or remote code execution required.

Generated by OpenCVE AI on May 14, 2026 at 07:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fluent Forms to version 6.2.0 or newer, which removes the vulnerable authorization logic.
  • If an immediate upgrade is not possible, remove the Manager role or limit form management permissions to only those forms that the user legitimately requires access to.
  • After applying the patch or restricting permissions, verify that the Subscription or Subscriber+ users cannot manipulate the form_id parameter to access submissions outside their authorized scope.

Generated by OpenCVE AI on May 14, 2026 at 07:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Techjewel
Techjewel fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Wordpress
Wordpress wordpress
Vendors & Products Techjewel
Techjewel fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Wordpress
Wordpress wordpress

Thu, 14 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, modify, delete, add notes) based on a user-supplied `form_id` query parameter. This makes it possible for authenticated attackers, with Fluent Forms Manager access restricted to specific forms, to read, modify status, add notes to, and permanently delete form submissions belonging to any other form by spoofing the form_id parameter to a form they are authorized for.
Title Fluent Forms <= 6.1.21 - Authenticated (Subscriber+) Authorization Bypass via 'form_id' Parameter
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Techjewel Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T10:46:46.093Z

Reserved: 2026-04-01T23:59:10.834Z

Link: CVE-2026-5396

cve-icon Vulnrichment

Updated: 2026-05-14T10:46:41.087Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T06:16:24.117

Modified: 2026-05-14T14:28:41.283

Link: CVE-2026-5396

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T07:45:15Z

Weaknesses