Primary

Context

Fluent Forms Authorization Bypass Vulnerability via User-Controlled 'form_id' Parameter

Vulnerability

Patched

A vulnerability exists in the Fluent Forms plugin for WordPress, in all versions up to and including 6.1.21, allowing for authorization bypass through user-controlled 'form_id' parameters. The issue arises in the SubmissionPolicy class, which authorizes actions related to form submissions based on the 'form_id' provided by the user. This vulnerability enables authenticated attackers with Fluent Forms Manager access limited to certain forms, to manipulate submissions of other forms by falsifying the 'form_id' parameter.

Impact

Exploitation of this vulnerability allows authenticated users to bypass authorization restrictions, enabling them to read, modify, add notes to, and permanently delete form submissions from any form, regardless of their assigned permissions.

Remediation

Users are advised to update the Fluent Forms plugin to version 6.2.0 or later.

Added: May 14, 2026, 7:11 AM

Updated: May 14, 2026, 7:11 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.3

exploitability

6.1

remediation

7.7

relevance

8.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.3

exploitability

6.1

remediation

7.7

relevance

8.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Fluent Forms Authorization Bypass Vulnerability via User-Controlled 'form_id' Parameter

Vulnerability

Impact

Remediation

Affected Products

Fluent Forms

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating