{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/fluent-forms-plugin--6.1.21/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-5396"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Fluent Forms plugin \u003c= 6.1.21"],"_cs_severities":["high"],"_cs_tags":["authorization-bypass","wordpress","plugin"],"_cs_type":"threat","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Fluent Forms plugin for WordPress, versions up to and including 6.1.21, is susceptible to an authorization bypass vulnerability (CVE-2026-5396). This flaw arises from the \u003ccode\u003eSubmissionPolicy\u003c/code\u003e class\u0026rsquo;s reliance on a user-supplied \u003ccode\u003eform_id\u003c/code\u003e query parameter to authorize submission-level actions, including reading, modifying, deleting, and adding notes. An authenticated attacker, granted Fluent Forms Manager access solely to specific forms, can exploit this vulnerability. By manipulating the \u003ccode\u003eform_id\u003c/code\u003e parameter to resemble a form they are authorized for, they can gain unauthorized access to, and control over, form submissions of other, restricted forms. This impacts the confidentiality and integrity of data collected through Fluent Forms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to WordPress with an account that has Fluent Forms Manager access, restricted to specific forms.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the \u0026lsquo;form_id\u0026rsquo; of a form they are authorized to manage.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting a Fluent Forms endpoint that handles submission-level actions (e.g., reading, modifying, deleting, adding notes).\u003c/li\u003e\n\u003cli\u003eThe malicious request includes the \u0026lsquo;form_id\u0026rsquo; parameter, spoofed to match the \u0026lsquo;form_id\u0026rsquo; of a form they are authorized to manage.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the WordPress server hosting the vulnerable Fluent Forms plugin.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSubmissionPolicy\u003c/code\u003e class in Fluent Forms incorrectly authorizes the request based on the spoofed \u0026lsquo;form_id\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to form submissions associated with the target \u0026lsquo;form_id\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as reading, modifying the status, adding notes to, or permanently deleting the form submissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass authorization controls within the Fluent Forms plugin. This can lead to unauthorized access and manipulation of sensitive form submission data. An attacker with limited access can read, modify, or delete submissions from other forms, potentially impacting data integrity and confidentiality. The vulnerability affects all users of the Fluent Forms plugin up to version 6.1.21.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Fluent Forms plugin to the latest version to patch CVE-2026-5396.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Fluent Forms Authorization Bypass via form_id Parameter\u0026rdquo; to your SIEM to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions within Fluent Forms to ensure least privilege is enforced.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing manipulated \u003ccode\u003eform_id\u003c/code\u003e parameters as described in the Attack Chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T06:17:56Z","date_published":"2026-05-14T06:17:56Z","id":"https://feed.craftedsignal.io/briefs/2026-05-fluent-forms-auth-bypass/","summary":"The Fluent Forms plugin for WordPress is vulnerable to authorization bypass via a user-controlled key (CVE-2026-5396), allowing authenticated attackers with restricted access to specific forms to manipulate submissions of unauthorized forms by spoofing the 'form_id' parameter.","title":"Fluent Forms Plugin Authorization Bypass via User-Controlled Key (CVE-2026-5396)","url":"https://feed.craftedsignal.io/briefs/2026-05-fluent-forms-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Fluent Forms Plugin \u003c= 6.1.21","version":"https://jsonfeed.org/version/1.1"}