Fluent Forms CVE-2026-5396: Authorization Bypass Threatens WordPress Submissions

/HIGH /CVSS 8.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-639
Fluent Forms CVE-2026-5396: Authorization Bypass Threatens WordPress Submissions

The Fluent Forms plugin for WordPress, in all versions up to and including 6.1.21, is vulnerable to an Authorization Bypass Through User-Controlled Key, identified as CVE-2026-5396. The National Vulnerability Database reports this flaw stems from the SubmissionPolicy class, which mishandles submission-level actions like reading, modifying, or deleting entries. Authorization is based on a user-supplied form_id query parameter, which is easily spoofed.

This vulnerability allows authenticated attackers, even those with limited Fluent Forms Manager access restricted to specific forms, to bypass intended controls. By manipulating the form_id parameter to reference a form they are authorized for, they can then access, modify, add notes to, or permanently delete submissions from any other form on the WordPress site. The National Vulnerability Database assigns a CVSS score of 8.2 (HIGH).

For defenders, this means a serious integrity and confidentiality risk to form data. Any organization using Fluent Forms for critical data collection, customer interactions, or internal processes must recognize that even their ‘restricted’ managers could be leveraged by an attacker to compromise sensitive information. The attacker’s calculus here is straightforward: exploit an authorization flaw to elevate privileges laterally and gain access to a broader dataset than initially permitted.

What This Means For You

  • If your organization uses the Fluent Forms plugin on WordPress, you must immediately patch to a version beyond 6.1.21. This vulnerability allows authorized users with *limited* form access to potentially read, modify, or delete *all* form submissions. Audit your Fluent Forms logs for any unusual activity or unauthorized access patterns, especially related to submission management actions.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Abuse Elevation Control Mechanism: Sudo and Sudo Caching Privilege Escalation T1068 Exploitation for Privilege Escalation Privilege Escalation

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

Fluent Forms CVE-2026-5396 Authorization Bypass - Form Submission Access

Sigma YAML — free preview 
title: Fluent Forms CVE-2026-5396 Authorization Bypass - Form Submission Access
id: scw-2026-05-14-ai-1
status: experimental
level: critical
description: |
  Detects attempts to access or modify Fluent Forms submissions by exploiting CVE-2026-5396. This rule looks for POST requests to Fluent Forms endpoints that include a 'form_id' or 'fluentform_id' parameter, which is the mechanism used to bypass authorization checks. This bypass allows authenticated users with limited form access to interact with submissions from forms they are not authorized for.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-5396/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri-query|contains:
          - 'fluentform_id='
          - 'form_id='
      cs-method|exact: "POST"
      sc-status|exact: "200"
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-5396 Auth Bypass Fluent Forms plugin for WordPress versions <= 6.1.21
CVE-2026-5396 Auth Bypass Vulnerable class: SubmissionPolicy
CVE-2026-5396 Auth Bypass Vulnerable parameter: form_id (user-controlled key)
CVE-2026-5396 Auth Bypass Affected actions: read, modify status, add notes to, and permanently delete form submissions

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 09:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6670 — Path Traversal

CVE-2026-6670 — The Media Sync plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.9 via the 'sub_dir' and...

vulnerabilityCVEmedium-severitypath-traversalcwe-22
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-6510: Critical Privilege Escalation in InfusedWoo Pro WordPress Plugin

CVE-2026-6510 — The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This...

vulnerabilityCVEcriticalhigh-severityprivilege-escalationcwe-862
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 4 IOCs /⚙ 2 Sigma

InfusedWoo Pro Plugin Privilege Escalation (CVE-2026-6506)

CVE-2026-6506 — The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to...

vulnerabilityCVEhigh-severityprivilege-escalationcwe-862
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 5 IOCs