CVE-2026-5396 - Vulnerability Analysis
HighCVSS: 8.2Last Updated: May 14, 2026
Fluent Forms WordPress plugin - Authorization Bypass
Overview
Fluent Forms WordPress plugin <= 6.1.21 contains an authorization bypass through user-controlled form_id parameter in SubmissionPolicy class, letting authenticated attackers with limited form access read, modify, add notes, and delete submissions of other forms.
Severity & Score
Impact
Authenticated attackers can read, modify, add notes, and delete submissions of any form, leading to data tampering and unauthorized access.
Mitigation
Update to the latest version beyond 6.1.21.
References
Social Media Activity(2 posts)
š CVE-2026-5396 - High (8.2) The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, modify, del... š https://www.thehackerwire.com/vulnerability/CVE-2026-5396/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-5396 - High (8.2) The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, modify, del... š https://www.thehackerwire.com/vulnerability/CVE-2026-5396/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-5396
- Severity
- High
- CVSS Score
- 8.2
- Type
- broken_access_control
- Status
- rejected
- EPSS
- 3.0%
- Social Posts
- 2
CWE
- CWE-639
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N