PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12400 priyanshuchaudhary CVE debrief

The FlowForms – Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference, allowing authenticated attackers with contributor-level access to modify forms, including those owned by administrators, by supplying an arbitrary form ID in the REST URL. This vulnerability has a CVSS score of 4.3 and is classified as MEDIUM severity. The plugin's vulnerability allows for potential unauthorized modifications to forms on the site, which could lead to various security issues if exploited.

Vendor
priyanshuchaudhary
Product
FlowForms – Conversational Form Builder
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Administrators and users with contributor-level access and above of WordPress sites using the FlowForms – Conversational Form Builder plugin should assess and mitigate this vulnerability. They should review the plugin's version, assess the potential impact, and implement necessary security measures to prevent exploitation.

Technical summary

The FlowForms – Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.1. This is due to missing validation on a user-controlled key in the update_form function. An authenticated attacker with contributor-level access and above can modify the content, design, and settings of, as well as publish or revert, any form on the site — including forms owned by administrators — by supplying an arbitrary form ID in the REST URL. The vulnerability has a CVSS score of 4.3 and is classified as MEDIUM severity.

Defensive priority

Medium priority given the CVSS score of 4.3 and the potential impact of the vulnerability.

Recommended defensive actions

  • Update the FlowForms – Conversational Form Builder plugin to a version that fixes the Insecure Direct Object Reference vulnerability.
  • Restrict access to the REST API for users with contributor-level access and above.
  • Monitor for suspicious activity related to form modifications.
  • Consider implementing additional security measures such as input validation and access controls.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-07-10T09:16:52.553Z and was last modified on 2026-07-10T15:43:30.330Z. The vulnerability was reported by [email protected]. There is limited information available about the specific details of the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record provides a brief description of the vulnerability, but additional review is necessary to understand the full impact.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T09:16:52.553Z and has not been modified since then.