Security Alert Summary
The Fluent Forms plugin for WordPress contains an authorization bypass vulnerability that can allow an authenticated user with access to Fluent Forms management features to act on submissions from forms they should not control. The issue is related to how the plugin authorizes submission-level actions based on a user-supplied form_id parameter.
CVE Details
- CVE ID: CVE-2026-5396
- Affected component: Fluent Forms plugin for WordPress
- Affected versions: All versions up to and including 6.1.21
- Published: May 14, 2026 at 06:16:24 AM
- Last modified: May 14, 2026 at 02:28:41 PM
- CVSS v3.1 Base Score: 8.2
- CVSS v3.1 Severity: HIGH
- CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Authentication / Privileges / User Interaction:
- Authentication: Not required (PR:N – privileges required: NONE)
- User interaction: None (UI:N)
- Primary impact:
- Confidentiality: High
- Integrity: Low
- Availability: None
- Weakness (CWE): CWE-639
Technical Details
The vulnerability exists because the plugin’s SubmissionPolicy class authorizes submission-level actions (read, modify, delete, add notes) using a form_id value supplied by the user via a query parameter. Authorization decisions are tied to the provided form_id rather than the actual form context of the submission being acted on.
Because the authorization check relies on a user-controlled form_id, an authenticated attacker who has Fluent Forms Manager access limited to certain forms can supply or spoof a form_id they are authorized for while targeting submissions that belong to other forms. This allows the attacker to read submission data, change submission status, add notes, or permanently delete submissions from forms they should not manage.
The issue is an authorization bypass rooted in improper reliance on user-supplied identifiers instead of verifying the submission belongs to the form the user is authorized to manage.
How This Could Impact Your Website
Consider a site where the owner assigns a staff member or external contractor the role of managing form submissions for a subset of forms. An attacker who can log in with an account that has Fluent Forms Manager access limited to specific forms could manipulate the form_id parameter to access submissions from other forms. Practical consequences include:
- Exposure of submission contents, including internal or external user email addresses and other personal data collected via forms.
- Increased risk of targeted phishing or social engineering using exposed contact details.
- Unauthorized changes to submission status or addition of notes, which can disrupt internal workflows or auditing.
- Permanent deletion of submissions, resulting in loss of records or evidence required for business processes.
If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles and capabilities, especially for contributors and form managers.
- Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
- Remove unused or unmaintained plugins to reduce your attack surface.
- Monitor site activity and form submission logs for unusual behavior, such as unexpected edits or deletions of submissions.
If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
