CVE-2026-11578: CWE-639 Authorization Bypass Through User-Controlled Key in Fluent Forms
The Fluent Forms WordPress plugin before 6.2.5 does not properly restrict the deletion of form submission entries to the forms a restricted Manager is authorized to manage, allowing a Manager limited to specific forms to permanently delete submission entries belonging to other forms. This requires a non-default configuration in which an administrator has created at least one Manager restricted to specific forms.
AI Analysis
Technical Summary
CVE-2026-11578 is an authorization bypass vulnerability (CWE-639) in the Fluent Forms WordPress plugin prior to version 6.2.5. The plugin fails to properly restrict deletion of form submission entries to only those forms a restricted Manager user is authorized to manage. Consequently, a Manager limited to specific forms can delete submission entries belonging to other forms. This vulnerability requires a non-default configuration where an administrator has created at least one Manager restricted to specific forms. No CVSS score or patch information is currently available.
Potential Impact
An attacker with Manager-level access restricted to certain forms can delete submission entries from forms outside their authorization scope. This could lead to unauthorized data loss or manipulation of form submission records. The impact is limited to users with Manager privileges and a specific non-default configuration, but it undermines the intended access controls within the plugin.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should review Manager role configurations and consider limiting Manager privileges or avoiding form-specific restrictions that could be exploited. Monitor vendor communications for updates and apply official patches once released.
CVE-2026-11578: CWE-639 Authorization Bypass Through User-Controlled Key in Fluent Forms
Description
The Fluent Forms WordPress plugin before 6.2.5 does not properly restrict the deletion of form submission entries to the forms a restricted Manager is authorized to manage, allowing a Manager limited to specific forms to permanently delete submission entries belonging to other forms. This requires a non-default configuration in which an administrator has created at least one Manager restricted to specific forms.
CVSS v3.1
Score 2.7low
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-11578 is an authorization bypass vulnerability (CWE-639) in the Fluent Forms WordPress plugin prior to version 6.2.5. The plugin fails to properly restrict deletion of form submission entries to only those forms a restricted Manager user is authorized to manage. Consequently, a Manager limited to specific forms can delete submission entries belonging to other forms. This vulnerability requires a non-default configuration where an administrator has created at least one Manager restricted to specific forms. No CVSS score or patch information is currently available.
Potential Impact
An attacker with Manager-level access restricted to certain forms can delete submission entries from forms outside their authorization scope. This could lead to unauthorized data loss or manipulation of form submission records. The impact is limited to users with Manager privileges and a specific non-default configuration, but it undermines the intended access controls within the plugin.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should review Manager role configurations and consider limiting Manager privileges or avoiding form-specific restrictions that could be exploited. Monitor vendor communications for updates and apply official patches once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- WPScan
- Date Reserved
- 2026-06-08T11:40:12.713Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a46037a27e9c7971942c633
Added to database: 07/02/2026, 06:21:46 UTC
Last enriched: 07/02/2026, 06:37:18 UTC
Last updated: 07/03/2026, 01:58:49 UTC
Views: 17
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.