Fluent Forms Plugin Authorization Bypass via User-Controlled Key (CVE-2026-5396)

The Fluent Forms plugin for WordPress, versions up to and including 6.1.21, is susceptible to an authorization bypass vulnerability (CVE-2026-5396). This flaw arises from the SubmissionPolicy class’s reliance on a user-supplied form_id query parameter to authorize submission-level actions, including reading, modifying, deleting, and adding notes. An authenticated attacker, granted Fluent Forms Manager access solely to specific forms, can exploit this vulnerability. By manipulating the form_id parameter to resemble a form they are authorized for, they can gain unauthorized access to, and control over, form submissions of other, restricted forms. This impacts the confidentiality and integrity of data collected through Fluent Forms.

Attack Chain

1. Attacker authenticates to WordPress with an account that has Fluent Forms Manager access, restricted to specific forms.
2. Attacker identifies the ‘form_id’ of a form they are authorized to manage.
3. Attacker crafts a malicious HTTP request targeting a Fluent Forms endpoint that handles submission-level actions (e.g., reading, modifying, deleting, adding notes).
4. The malicious request includes the ‘form_id’ parameter, spoofed to match the ‘form_id’ of a form they are authorized to manage.
5. The request is sent to the WordPress server hosting the vulnerable Fluent Forms plugin.
6. The SubmissionPolicy class in Fluent Forms incorrectly authorizes the request based on the spoofed ‘form_id’ parameter.
7. Attacker gains unauthorized access to form submissions associated with the target ‘form_id’.
8. The attacker can then perform actions such as reading, modifying the status, adding notes to, or permanently deleting the form submissions.

Impact

Successful exploitation of this vulnerability allows attackers to bypass authorization controls within the Fluent Forms plugin. This can lead to unauthorized access and manipulation of sensitive form submission data. An attacker with limited access can read, modify, or delete submissions from other forms, potentially impacting data integrity and confidentiality. The vulnerability affects all users of the Fluent Forms plugin up to version 6.1.21.

Recommendation

• Upgrade the Fluent Forms plugin to the latest version to patch CVE-2026-5396.
• Deploy the Sigma rule “Detect Fluent Forms Authorization Bypass via form_id Parameter” to your SIEM to identify potential exploitation attempts in web server logs.
• Review user roles and permissions within Fluent Forms to ensure least privilege is enforced.
• Monitor web server logs for suspicious requests containing manipulated form_id parameters as described in the Attack Chain.