CVE-2026-5396— Fluent Forms <= 6.1.21 - Authenticated (Subscriber+) Authorization Bypass via 'form_id' Parameter
Possible ATT&CK Techniques 1AI
T1133 · External Remote ServicesAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | ≤ 6.1.21 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-5396
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Fluent Forms <= 6.1.21 - Authenticated (Subscriber+) Authorization Bypass via 'form_id' Parameter
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, modify, delete, add notes) based on a user-supplied `form_id` query parameter. This makes it possible for authenticated attackers, with Fluent Forms Manager access restricted to specific forms, to read, modify status, add notes to, and permanently delete form submissions belonging to any other form by spoofing the form_id parameter to a form they are authorized for.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress plugin Fluent Forms 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin Fluent Forms 6.1.21及之前版本存在安全漏洞,该漏洞源于SubmissionPolicy类基于用户提供的form_id参数授权提交级操作,可能导致经过身份验证的攻击者通过伪造form_id参数访问其他
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | 0 ~ 6.1.21 | - |
II. Public POCs for CVE-2026-5396
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-5396
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
- CVE-2026-5395
Fluent Forms <= 6.2.0 - Authenticated (Subscriber+) Authoriz - CVE-2026-6828
Fluent Forms <= 6.2.1 - Authenticated (Contributor+) Stored - CVE-2026-6344
Fluent Forms <= 6.2.1 - Authenticated (Administrator+) Arbit - CVE-2026-4160
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & C - CVE-2026-0996
Fluent Forms <= 6.1.14 - Authenticated (Subscriber+) Stored
Same vendor: techjewel
- CVE-2026-5395
Fluent Forms <= 6.2.0 - Authenticated (Subscriber+) Authoriz - CVE-2026-6828
Fluent Forms <= 6.2.1 - Authenticated (Contributor+) Stored - CVE-2026-6344
Fluent Forms <= 6.2.1 - Authenticated (Administrator+) Arbit - CVE-2026-2306
Ninja Tables <= 5.2.6 - Missing Authorization to Authenticat - CVE-2026-4160
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & C
Same weakness: CWE-639
- CVE-2026-45666
Open WebUI: Indirect Object Reference (IDOR) in user notes - CVE-2026-44570
Open WebUI: Inconsistent authorization controls within memor - CVE-2026-45402
Open WebUI: Cross-User File Access via Unchecked file_id in - CVE-2026-45386
Open WebUI: An IDOR vulnerability exists in the pin_channel_ - CVE-2026-45398
Open WebUI: IDOR - Retrieval API Bypasses Knowledge Base Acc
V. Comments for CVE-2026-5396
No comments yet