PatchSiren cyber security CVE debrief
CVE-2026-12400 priyanshuchaudhary CVE debrief
The FlowForms – Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference, allowing authenticated attackers with contributor-level access to modify forms, including those owned by administrators, by supplying an arbitrary form ID in the REST URL. This vulnerability has a CVSS score of 4.3 and is classified as MEDIUM severity. The plugin's vulnerability allows for potential unauthorized modifications to forms on the site, which could lead to various security issues if exploited.
- Vendor
- priyanshuchaudhary
- Product
- FlowForms – Conversational Form Builder
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Administrators and users with contributor-level access and above of WordPress sites using the FlowForms – Conversational Form Builder plugin should assess and mitigate this vulnerability. They should review the plugin's version, assess the potential impact, and implement necessary security measures to prevent exploitation.
Technical summary
The FlowForms – Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.1. This is due to missing validation on a user-controlled key in the update_form function. An authenticated attacker with contributor-level access and above can modify the content, design, and settings of, as well as publish or revert, any form on the site — including forms owned by administrators — by supplying an arbitrary form ID in the REST URL. The vulnerability has a CVSS score of 4.3 and is classified as MEDIUM severity.
Defensive priority
Medium priority given the CVSS score of 4.3 and the potential impact of the vulnerability.
Recommended defensive actions
- Update the FlowForms – Conversational Form Builder plugin to a version that fixes the Insecure Direct Object Reference vulnerability.
- Restrict access to the REST API for users with contributor-level access and above.
- Monitor for suspicious activity related to form modifications.
- Consider implementing additional security measures such as input validation and access controls.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The CVE record was published on 2026-07-10T09:16:52.553Z and was last modified on 2026-07-10T15:43:30.330Z. The vulnerability was reported by [email protected]. There is limited information available about the specific details of the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record provides a brief description of the vulnerability, but additional review is necessary to understand the full impact.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T09:16:52.553Z and has not been modified since then.