{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/fluentforms/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-5395"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Fluent Forms – Customizable Contact Forms, Survey, Quiz, \u0026 Conversational Form Builder plugin \u003c= 6.2.0"],"_cs_severities":["high"],"_cs_tags":["insecure-direct-object-reference","wordpress","fluentforms","cve-2026-5395"],"_cs_type":"threat","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Fluent Forms – Customizable Contact Forms, Survey, Quiz, \u0026amp; Conversational Form Builder plugin for WordPress, versions up to and including 6.2.0, contains an Insecure Direct Object Reference (IDOR) vulnerability. This flaw resides within the \u003ccode\u003eexportEntries\u003c/code\u003e function. The vulnerability stems from a lack of proper validation on a user-controlled key, enabling authenticated attackers with manager-level access or higher to circumvent form-level access restrictions. This allows them to access submissions from forms they lack authorization to view. The issue was reported on May 14, 2026, and is tracked as CVE-2026-5395. Exploitation can lead to unauthorized data access, potential data exfiltration, and information disclosure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress instance with manager-level or higher privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003eexportEntries\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe request includes a manipulated user-controlled key to bypass form-level access restrictions.\u003c/li\u003e\n\u003cli\u003eDue to the missing validation, the application processes the request without verifying the attacker\u0026rsquo;s authorization to the target form.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to form submissions from forms they are not authorized to view.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the same IDOR vulnerability to export data from arbitrary database tables by manipulating the key.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages error messages disclosed by the application to enumerate database table names.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the sensitive data obtained from unauthorized access to form submissions and exported database tables.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5395 allows attackers to bypass access controls and gain unauthorized access to sensitive form submission data. This can lead to the exposure of personal information, business intelligence, or other confidential data collected through the forms. The ability to export arbitrary database tables further expands the scope of the attack, potentially compromising the entire WordPress database. The enumeration of database table names provides attackers with valuable information for further reconnaissance and exploitation attempts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for the Fluent Forms plugin to patch CVE-2026-5395.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-5395 Exploitation Attempt via Fluent Forms IDOR\u0026rdquo; to monitor for suspicious requests to the \u003ccode\u003eexportEntries\u003c/code\u003e function in the webserver logs.\u003c/li\u003e\n\u003cli\u003eReview user access controls and ensure that users have only the necessary privileges to access specific forms to mitigate potential internal threats.\u003c/li\u003e\n\u003cli\u003eEnable detailed logging for the WordPress application to capture relevant events for investigating potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T07:18:04Z","date_published":"2026-05-14T07:18:04Z","id":"https://feed.craftedsignal.io/briefs/2026-05-fluentforms-idor/","summary":"The Fluent Forms WordPress plugin through 6.2.0 is vulnerable to Insecure Direct Object Reference (IDOR), allowing authenticated users with manager-level access or higher to bypass form-level access controls, export arbitrary database tables, and enumerate table names via error messages, as tracked by CVE-2026-5395.","title":"Fluent Forms WordPress Plugin IDOR Vulnerability (CVE-2026-5395)","url":"https://feed.craftedsignal.io/briefs/2026-05-fluentforms-idor/"}],"language":"en","title":"CraftedSignal Threat Feed — Fluentforms","version":"https://jsonfeed.org/version/1.1"}