CVE-2026-5395

HIGH

Fluent Forms <= 6.2.0 - Authenticated (Subscriber+) Authorization Bypass via 'table' Parameter

Title source: cna

Description

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Fluent Forms manager-level access and above, to bypass form-level access restrictions to access submissions from forms they are not authorized to view, export data from arbitrary database tables, and enumerate database table names via error message disclosure.

References (2)

Core 2

Core References

https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd12b8a-2033-4236-abcd-2a8d08e7f099?source=cve

https://plugins.trac.wordpress.org/changeset/3507987/fluentform/trunk/app/Services/Transfer/TransferService.php

Scores

CVSS v3 8.2

EPSS 0.0023

EPSS Percentile 14.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (1)

techjewel/Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder < 6.2.0

Published May 14, 2026

Tracked Since May 14, 2026