Fluent Forms Authorization Bypass via User-Controlled Parameters

The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, modify, delete, add notes) based on a user-supplied `form_id` query parameter. This makes it possible for authenticated attackers, with Fluent Forms Manager access restricted to specific forms, to read, modify status, add notes to, and permanently delete form submissions belonging to any other form by spoofing the form_id parameter to a form they are authorized for.

Casky was already ahead

This CVE exploits attack patterns that Casky's 261matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

The Fluent Forms plugin for WordPress (versions up to 6.1.21) contains a critical authorization bypass vulnerability in its SubmissionPolicy class. Authenticated users with restricted Fluent Forms Manager access can manipulate the `form_id` query parameter to gain unauthorized access to form submissions they should not see. This vulnerability allows attackers to read sensitive form data, modify submission status, add notes, and permanently delete submissions across forms outside their assigned scope. Any WordPress site running an affected version of Fluent Forms with multiple form managers or restricted user roles faces significant risk of data exposure and integrity compromise.

Casky's 261 matching skills leverage Claude's extended reasoning to detect the attack patterns associated with MITRE techniques TA0004 (Privilege Escalation) and TA0006 (Credential Access). Practitioners using Casky would identify suspicious patterns including: unauthorized API calls with manipulated form_id parameters from low-privilege accounts, submission access logs showing reads/modifications outside assigned form scopes, and privilege escalation indicators where restricted managers suddenly access restricted submissions. The platform's skill mapping reveals CWE-639 (Authorization Through User-Controlled Key) signatures—specifically parameter tampering attempts where user-supplied identifiers bypass access control checks. Findings would surface lateral privilege escalation chains and data access anomalies that traditional rules-based detection might miss, enabling practitioners to correlate suspicious query parameters with unauthorized submission modifications before data loss occurs.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

261 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-5396.

analyzing-cloud-storage-access-patterns

cloud security · low

Run

analyzing-kubernetes-audit-logs

container security · low

Run

analyzing-malicious-url-with-urlscan

phishing defense · medium

Run

MITRE ATT&CK Techniques

TA0004 TA0006

Investigate the attack patterns behind CVE-2026-5396

Casky has 261 skills that investigate the attack patterns behind CVE-2026-5396. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn