Cette page n'a pas encore été traduite dans votre langue. Affichage du contenu en anglais pendant que nous y travaillons.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-5396: Authorization Bypass in Fluent Forms
Plateforme
wordpress
Composant
fluentform
Corrigé dans
6.2.0
CVE-2026-5396 is an authorization bypass vulnerability affecting the Fluent Forms WordPress plugin. This flaw allows authenticated attackers with limited form manager access to manipulate submissions from any form within the system by exploiting a flaw in how form IDs are handled. The vulnerability impacts versions 0.0.0 through 6.1.21, and a fix is available in version 6.2.0.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Impact et Scénarios d'Attaquetraduction en cours…
An attacker exploiting this vulnerability could gain unauthorized access to sensitive form submission data, including personally identifiable information (PII) collected through forms. They could read, modify, or even permanently delete submissions, potentially disrupting business processes or causing data loss. The impact is particularly severe for organizations relying on Fluent Forms to collect critical data, as an attacker could tamper with submissions to manipulate results, gain unauthorized access to user data, or even cause denial of service by deleting submissions. This vulnerability highlights the importance of robust authorization controls, even for users with seemingly limited privileges.
Contexte d'Exploitationtraduction en cours…
This vulnerability was published on 2026-05-14. Currently, there is no public proof-of-concept (POC) code available. The EPSS score is pending evaluation. While no active campaigns have been reported, the ease of exploitation and potential impact suggest a medium probability of exploitation if the vulnerability is discovered by malicious actors. Monitor WordPress security forums and vulnerability databases for updates.
Renseignement sur les Menaces
Statut de l'Exploit
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Faible — l'attaquant peut modifier certaines données avec un impact limité.
- Availability
- Aucun — aucun impact sur la disponibilité.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
Mitigation et Contournementstraduction en cours…
The primary mitigation is to upgrade Fluent Forms to version 6.2.0 or later, which addresses the authorization bypass. If immediate upgrading is not possible, consider restricting access to the Fluent Forms manager role to only essential users. Implement a Web Application Firewall (WAF) rule to block requests containing suspicious formid parameters, particularly those that are excessively long or contain unexpected characters. Regularly review Fluent Forms configurations and user permissions to ensure they adhere to the principle of least privilege. After upgrading, verify the fix by attempting to access a form submission with a spoofed formid parameter; access should be denied.
Comment corriger
Mettre à jour vers la version 6.2.0, ou une version corrigée plus récente
Questions fréquentestraduction en cours…
What is CVE-2026-5396 — Authorization Bypass in Fluent Forms?
CVE-2026-5396 is a HIGH severity vulnerability in the Fluent Forms WordPress plugin allowing authenticated attackers to manipulate form submissions by spoofing the form_id parameter.
Am I affected by CVE-2026-5396 in Fluent Forms?
You are affected if you are using Fluent Forms versions 0.0.0 through 6.1.21. Upgrade to version 6.2.0 to resolve the issue.
How do I fix CVE-2026-5396 in Fluent Forms?
Upgrade Fluent Forms to version 6.2.0 or later. As a temporary workaround, restrict access to the Fluent Forms manager role and implement WAF rules to block suspicious requests.
Is CVE-2026-5396 being actively exploited?
No active campaigns have been reported, but the vulnerability's ease of exploitation warrants caution. Monitor security advisories for updates.
Where can I find the official Fluent Forms advisory for CVE-2026-5396?
Refer to the official Fluent Forms website and WordPress security announcements for the latest information and advisory regarding CVE-2026-5396.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Scannez votre projet WordPress maintenant — sans compte
scanZone.subtitle
Glissez-déposez votre fichier de dépendances
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...