Authorization Bypass in Fluent Forms Plugin for WordPress
CVE-2026-5396

8.2HIGH

Key Information:

Vendor: WordPress
Status: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-5396?

The Fluent Forms plugin for WordPress has a critical vulnerability that allows authenticated users with limited access to manipulate and access form submissions. This flaw arises from the way the SubmissionPolicy class handles authorization. It relies on a user-supplied 'form_id' query parameter to manage submission-level actions (such as reading, modifying, deleting, and adding notes). By crafting a specific request, attackers can gain unauthorized access to any form submission, potentially leading to data exposure, modification, or deletion. This issue affects all versions of the plugin prior to 6.2.0.

Affected Version(s)

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder 0 <= 6.1.21

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?old_path=/fl...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 1, 2026

Credit

Sander Horsman

CVE-2026-5396 Data

JSON