PatchSiren cyber security CVE debrief

CVE-2026-5396 Plugins CVE debrief

CVE-2026-5396 describes a high-severity authorization bypass in the Fluent Forms WordPress plugin, affecting versions up to and including 6.1.21. An authenticated attacker with manager access restricted to specific forms can spoof the user-supplied form_id parameter and perform submission-level actions on other forms, including reading submissions, changing status, adding notes, and permanently deleting records. The CVE was published on 2026-05-14.

Vendor: Plugins
Product: Unknown
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-14
Original CVE updated: 2026-05-14
Advisory published: 2026-05-14
Advisory updated: 2026-05-14

Who should care

WordPress administrators using Fluent Forms, especially sites that delegate Fluent Forms Manager access to limited sets of forms. Security teams should prioritize this if the plugin is used to handle sensitive submissions or if multiple staff roles manage different forms.

Technical summary

The issue is a CWE-639 style authorization bypass in the SubmissionPolicy class. Instead of authorizing submission actions against a server-trusted form identity, the policy uses a user-controlled form_id query parameter. That allows an authenticated user who is allowed to manage one form to present that form_id while operating on submissions from another form, bypassing intended per-form access controls. The supplied references indicate the affected range ends at 6.1.21 and the patch reference compares 6.1.21 to 6.2.0.

Defensive priority

High. The vulnerability requires authentication, but it can expose confidential submission content and enable destructive changes, including permanent deletion. Prioritize remediation on any internet-facing or multi-admin WordPress instance running Fluent Forms with delegated form-scoped permissions.

Recommended defensive actions

Upgrade Fluent Forms to the fixed release indicated by the referenced patch changeset (6.2.0 or later).
Review all accounts granted Fluent Forms Manager access and confirm whether form-scoped access is still appropriate.
Audit submission activity for cross-form reads, status changes, note additions, and deletions that do not match expected privileges.
Reduce or remove delegated manager permissions where they are not operationally necessary.
Check backups and retention controls so deleted submissions can be recovered if needed.
Validate any integrations or custom workflows do not rely on client-supplied form_id values for authorization decisions.

Evidence notes

The source advisory states that all versions up to and including 6.1.21 are affected and that the SubmissionPolicy class authorizes read, modify, delete, and add-note actions using a user-supplied form_id query parameter. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N with a score of 8.2, though the narrative impact description indicates authenticated access is required. The official record and NVD timestamps place public disclosure on 2026-05-14, and the WordPress changeset reference spans 6.1.21 to 6.2.0, which is the patch context available in the corpus.

Official resources

CVE-2026-5396 CVE record
CVE.org
CVE-2026-5396 NVD detail
NVD
Source item URL
github_advisory_database
Source reference
Reference
Source reference
Reference

Publicly disclosed on 2026-05-14. The NVD record was published at 2026-05-14T06:16:24Z, and the CVE record/source item were published at 2026-05-14T06:31:33Z.