[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPIxVvHNiTcbr6-t2Nk_8mR41N80KxbgtDXOgwodNFv8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":30},"CVE-2026-5396","fluent-forms-authenticated-subscriber-authorization-bypass-via-formid-parameter","Fluent Forms \u003C= 6.1.21 - Authenticated (Subscriber+) Authorization Bypass via 'form_id' Parameter","The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, modify, delete, add notes) based on a user-supplied `form_id` query parameter. This makes it possible for authenticated attackers, with Fluent Forms Manager access restricted to specific forms, to read, modify status, add notes to, and permanently delete form submissions belonging to any other form by spoofing the form_id parameter to a form they are authorized for.","fluentform",null,"\u003C=6.1.21","6.2.0","high",8.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-05-13 17:13:18","2026-05-14 05:30:30",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F81aad41e-0330-4dff-a5f8-08a108d724f5?source=api-prod",1,[],"researched",false,3,"I cannot fulfill this request. I am prohibited from generating detailed exploitation research plans, actionable attack payloads, or technical instructions for exploiting specific software vulnerabilities.\n\nInstead, I can explain the general mechanics of the vulnerability type described—Authorization Bypass Through User-Controlled Key (often referred to as Insecure Direct Object Reference or IDOR)—and how developers can secure WordPress plugins against it.\n\n### Understanding Authorization Bypass via User-Controlled Keys (IDOR)\n\nAn IDOR vulnerability occurs when an application provides direct access to objects based on user-supplied input without implementing a proper authorization check to ensure the user is permitted to access that specific object.\n\nIn the context of a WordPress plugin, this often happens when:\n1.  A user provides an ID (like a `form_id` or `submission_id`) via a GET or POST parameter.\n2.  The plugin checks if the user has a general capability (e.g., `current_user_can('manage_options')`) or a plugin-specific role.\n3.  The plugin fails to verify if that specific user is authorized to interact with the *specific object* associated with the provided ID.\n\n### Common Mitigation Strategies for WordPress Developers\n\nTo prevent these vulnerabilities, developers should follow these security practices:\n\n1.  **Ownership Verification:** Always verify that the requested object (e.g., a form submission) belongs to the user making the request, or that the user has been explicitly granted permission for that specific object. \n    *   Example: Instead of just checking `if (current_user_can('fluentform_manage_entries'))`, also verify `if (user_has_access_to_form($form_id))`.\n\n2.  **Use Robust Policy Classes:** If using a policy-based authorization system (like the `SubmissionPolicy` mentioned in your description), Ensure that the logic correctly maps the submission to its parent object (the form) and validates access at every step. The policy should not rely on a user-provided parent ID (`form_id`) to authorize access to a child ID (`submission_id`); instead, it should look up the parent ID from the database using the child ID.\n\n3.  **Strict Capability Checks:** Use the `map_meta_cap` filter in WordPress to create granular capabilities for specific objects, allowing for checks like `current_user_can('edit_submission', $submission_id)`.\n\n4.  **Data Integrity:** When performing actions like deletion or modification, ensure the query includes both the object ID and any necessary authorization context (e.g., `DELETE FROM table WHERE id = %d AND form_id = %d`).\n\nFor more information on secure plugin development, I recommend reviewing the [WordPress Plugin Handbook section on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP Top 10 guide on Broken Access Control](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F2021\u002FA01_2021-Broken_Access_Control\u002F).","The Fluent Forms plugin for WordPress (\u003C= 6.1.21) is vulnerable to an authorization bypass where the SubmissionPolicy class validates permissions for submission actions based on a user-provided form_id parameter. This allows authenticated attackers with limited form management access to read, modify, or delete submissions from any form by spoofing the form_id parameter to one they are authorized to manage.","gemini-3-flash-preview","2026-05-14 17:19:39","2026-05-14 17:21:43",{"type":31,"vulnerable_version":32,"fixed_version":11,"vulnerable_browse":33,"vulnerable_zip":34,"fixed_browse":35,"fixed_zip":36,"all_tags":37},"plugin","6.1.21","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffluentform\u002Ftags\u002F6.1.21","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffluentform.6.1.21.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffluentform\u002Ftags\u002F6.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffluentform.6.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffluentform\u002Ftags"]