Fluent Forms Insecure Direct Object Reference Vulnerability Allowing Authorization Bypass and Data Access

A vulnerability exists in the Fluent Forms WordPress plugin, specifically in versions up to and including 6.2.0. The issue arises from an Insecure Direct Object Reference (IDOR) in the exportEntries function, where user-controlled keys are not properly validated. This flaw enables authenticated attackers with manager-level access or higher to bypass form-level access restrictions. Exploitation of this vulnerability allows attackers to access and export submissions from unauthorized forms, export data from arbitrary database tables, and enumerate database table names through disclosed error messages.

Impact

Exploitation of this vulnerability could lead to unauthorized access to form submissions, allowing attackers to view and export data from forms they are not authorized to access. Additionally, the vulnerability could be exploited to access and export data from arbitrary database tables, potentially leading to further exploitation or data breaches.

Remediation

Users are advised to update the Fluent Forms plugin to version 6.2.1 or a newer patched version.