CVE-2026-5395
HIGH · 8.2Published today; vendor alerts only; no PoC, no KEV, no defender incident reports yet.
What: Insecure Direct Object Reference (IDOR) in Fluent Forms WordPress plugin ≤6.2.0 allows authenticated manager-level users to bypass access controls and export unauthorized form submissions and database tables (CVSS 8.2).
Why it matters: Published today; HIGH severity IDOR enabling data exfiltration and enumeration for authenticated attackers with elevated plugin permissions. Not yet KEV-listed and no public PoC confirmed in posts, but CVSS 8.2 and direct database access risk warrant immediate triage by WordPress site operators running this plugin.
Where it's seen: Coordinated same-day posts on Bluesky and X from security feed aggregators and vulnerability intelligence vendors; no active exploit discussion, researcher analysis, or vendor emergency patch notes visible yet.
RISK: HIGH — IDOR with authenticated access; HIGH CVSS; impacts form data confidentiality and database enumeration.
Description
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Fluent Forms manager-level access and above, to bypass form-level access restrictions to access submissions from forms they are not authorized to view, export data from arbitrary database tables, and enumerate database table names via error message disclosure.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- Low
- Availability
- None