CVE-2026-5396 Overview
CVE-2026-5396 is an authorization bypass vulnerability in the Fluent Forms plugin for WordPress, affecting all versions up to and including 6.1.21. The flaw resides in the SubmissionPolicy class, which authorizes submission-level actions based on a user-supplied form_id query parameter. Authenticated users assigned Fluent Forms Manager access restricted to specific forms can spoof the form_id to access submissions from forms they should not control. The vulnerability is classified under CWE-639: Authorization Bypass Through User-Controlled Key.
Critical Impact
Authenticated attackers with restricted Fluent Forms Manager access can read, modify status, add notes to, and permanently delete form submissions belonging to any other form on the site.
Affected Products
- Fluent Forms plugin for WordPress, versions up to and including 6.1.21
- Fixed in Fluent Forms version 6.2.0
- WordPress sites granting Fluent Forms Manager role to non-administrative users
Discovery Timeline
- 2026-05-14 - CVE-2026-5396 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-5396
Vulnerability Analysis
The Fluent Forms plugin enforces form-scoped permissions for users assigned the Fluent Forms Manager role. Administrators can restrict a manager to a subset of forms, allowing the manager to handle only submissions for those specific forms. The SubmissionPolicy class enforces these checks by reading the form_id parameter from the incoming HTTP request and comparing it against the user's authorized forms.
The authorization logic trusts the client-supplied form_id without validating it against the actual submission being acted upon. An attacker passes a form_id they legitimately control while targeting submission identifiers belonging to a different form. The policy check passes because the supplied form_id is authorized, but the underlying database operation executes against the targeted submission. This pattern matches CWE-639, where access decisions rely on a user-controlled key.
Root Cause
The root cause is the separation between the authorization key (form_id from the query string) and the resource identifier (submission ID) used by the action handler. The SubmissionPolicy validates the former but acts on the latter, breaking the relationship between authorization scope and the resource manipulated. The WordPress plugin changeset shows the corrected policy now resolves the parent form from the submission record itself before authorization.
Attack Vector
Exploitation requires authenticated access with the Fluent Forms Manager role scoped to at least one form. The attacker crafts requests to submission endpoints (read, status update, add note, delete) and supplies a form_id query parameter matching a form they are authorized for, while referencing submission IDs from other forms. No user interaction is required, and the attack is delivered over the network through standard plugin admin endpoints.
Detection Methods for CVE-2026-5396
Indicators of Compromise
- Fluent Forms admin requests where the form_id query parameter does not match the parent form of the referenced submission ID in database logs.
- Unexpected DELETE or status-change actions on submissions by non-administrator users with Fluent Forms Manager role.
- New submission notes authored by Fluent Forms Manager accounts on forms outside their assigned scope.
Detection Strategies
- Audit WordPress access logs for admin-ajax.php and REST API calls targeting fluentform submission endpoints from non-administrator accounts.
- Cross-reference the form_id parameter in request logs with the actual form ownership of the targeted submission record.
- Review the fluentform_submissions and fluentform_submission_meta tables for unexpected deletions or status changes correlated to manager-level user IDs.
Monitoring Recommendations
- Enable WordPress audit logging for plugin role assignments and submission CRUD operations.
- Alert on bulk submission deletions or rapid status changes performed by non-administrator users.
- Track changes to user role capabilities granting Fluent Forms Manager access.
How to Mitigate CVE-2026-5396
Immediate Actions Required
- Update the Fluent Forms plugin to version 6.2.0 or later on all WordPress installations.
- Review all users assigned the Fluent Forms Manager role and remove access for accounts that no longer require it.
- Restore any submissions deleted during the exposure window from backups if unauthorized deletions are confirmed.
Patch Information
The vendor fixed the vulnerability in Fluent Forms 6.2.0. The patch modifies the SubmissionPolicy class to derive the authoritative form_id from the submission record itself rather than the request parameter. See the WordPress plugin changeset and the Wordfence Vulnerability Report for technical details.
Workarounds
- Restrict the Fluent Forms Manager role to trusted administrators only until the plugin is upgraded.
- Deploy a web application firewall rule to block requests where the submitted form_id parameter does not match the form associated with the referenced submission ID.
- Temporarily revoke submission delete and modify capabilities from non-administrator roles through a custom capability filter.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
