CVE-2026-5395

techjewel · Fluent Forms

The Fluent Forms plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability that allows unauthorized access to data.

Executive summary

A critical IDOR vulnerability in the Fluent Forms plugin for WordPress allows unauthenticated attackers to access sensitive data, posing a significant risk of information disclosure.

Vulnerability

The plugin is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability (CWE-639) due to a failure to properly validate user-controlled keys. The attacker is unauthenticated (AV:N/PR:N/UI:N), allowing for unauthorized access to sensitive information.

Business impact

Successful exploitation of this vulnerability can lead to unauthorized access to sensitive form submission data, potentially exposing customer information or internal business communications. With a CVSS score of 8.2, this vulnerability is classified as High severity and requires immediate attention to prevent potential data breaches and regulatory compliance failures.

Remediation

Immediate Action: Update the Fluent Forms plugin to version 6.2.1 or later to remediate the vulnerability.

Proactive Monitoring: Monitor server access logs for anomalous requests targeting the TransferService.php endpoint or unusual patterns in form data retrieval.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block suspicious requests that attempt to manipulate object identifiers in URL parameters or API calls.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the ease of exploitation and the potential for unauthorized data access, administrators should prioritize updating the Fluent Forms plugin immediately. Ensure all instances are patched to version 6.2.1 to close this security gap and safeguard sensitive organizational data.