CVE-2026-5396: Authorization Bypass in Fluent Forms
Platform
wordpress
Component
fluentform
Fixed in
6.2.0
CVE-2026-5396 is an authorization bypass vulnerability affecting the Fluent Forms WordPress plugin. This flaw allows authenticated attackers with limited form manager access to manipulate submissions from any form within the system by exploiting a flaw in how form IDs are handled. The vulnerability impacts versions 0.0.0 through 6.1.21, and a fix is available in version 6.2.0.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
An attacker exploiting this vulnerability could gain unauthorized access to sensitive form submission data, including personally identifiable information (PII) collected through forms. They could read, modify, or even permanently delete submissions, potentially disrupting business processes or causing data loss. The impact is particularly severe for organizations relying on Fluent Forms to collect critical data, as an attacker could tamper with submissions to manipulate results, gain unauthorized access to user data, or even cause denial of service by deleting submissions. This vulnerability highlights the importance of robust authorization controls, even for users with seemingly limited privileges.
Exploitation Context
This vulnerability was published on 2026-05-14. Currently, there is no public proof-of-concept (POC) code available. The EPSS score is pending evaluation. While no active campaigns have been reported, the ease of exploitation and potential impact suggest a medium probability of exploitation if the vulnerability is discovered by malicious actors. Monitor WordPress security forums and vulnerability databases for updates.
Threat Intelligence
Exploit Status
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation is to upgrade Fluent Forms to version 6.2.0 or later, which addresses the authorization bypass. If immediate upgrading is not possible, consider restricting access to the Fluent Forms manager role to only essential users. Implement a Web Application Firewall (WAF) rule to block requests containing suspicious formid parameters, particularly those that are excessively long or contain unexpected characters. Regularly review Fluent Forms configurations and user permissions to ensure they adhere to the principle of least privilege. After upgrading, verify the fix by attempting to access a form submission with a spoofed formid parameter; access should be denied.
How to fix
Update to version 6.2.0, or a newer patched version
Frequently asked questions
What is CVE-2026-5396 — Authorization Bypass in Fluent Forms?
CVE-2026-5396 is a HIGH severity vulnerability in the Fluent Forms WordPress plugin allowing authenticated attackers to manipulate form submissions by spoofing the form_id parameter.
Am I affected by CVE-2026-5396 in Fluent Forms?
You are affected if you are using Fluent Forms versions 0.0.0 through 6.1.21. Upgrade to version 6.2.0 to resolve the issue.
How do I fix CVE-2026-5396 in Fluent Forms?
Upgrade Fluent Forms to version 6.2.0 or later. As a temporary workaround, restrict access to the Fluent Forms manager role and implement WAF rules to block suspicious requests.
Is CVE-2026-5396 being actively exploited?
No active campaigns have been reported, but the vulnerability's ease of exploitation warrants caution. Monitor security advisories for updates.
Where can I find the official Fluent Forms advisory for CVE-2026-5396?
Refer to the official Fluent Forms website and WordPress security announcements for the latest information and advisory regarding CVE-2026-5396.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Scan your WordPress project now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...