CVE-2026-11578
Received Received - Intake

Fluent Forms Manager Unauthorized Form Submission Deletion

Vulnerability report for CVE-2026-11578, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: WPScan

Description

The Fluent Forms WordPress plugin before 6.2.5 does not properly restrict the deletion of form submission entries to the forms a restricted Manager is authorized to manage, allowing a Manager limited to specific forms to permanently delete submission entries belonging to other forms. This requires a non-default configuration in which an administrator has created at least one Manager restricted to specific forms.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpfluent fluent_forms to 6.2.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-11578 is a vulnerability in the Fluent Forms WordPress plugin versions before 6.2.5, specifically affecting the Form Manager+ feature. It is an Insecure Direct Object Reference (IDOR) issue that allows a Manager user, who is restricted to managing specific forms, to delete submission entries from other forms they are not authorized to manage.

This happens because the plugin does not properly check permissions during the deletion process. An attacker with Manager-level access can manipulate the REST API by sending a crafted request that uses an authorized form ID but targets submission entries from unauthorized forms, resulting in unauthorized deletion.

The vulnerability requires a non-default configuration where an administrator has created at least one Manager restricted to specific forms. The issue was fixed in version 6.2.5 by enforcing proper form-specific access controls.

Impact Analysis

This vulnerability can impact you by allowing a restricted Manager user to permanently delete form submission entries from forms they should not have access to. This could lead to loss of important data submitted through forms on your WordPress site.

Since the deletion is permanent, it could disrupt data integrity and affect business processes that rely on form submissions. Additionally, if an attacker exploits this vulnerability, it could undermine trust in your site's data management and potentially cause operational issues.

Detection Guidance

This vulnerability can be detected by monitoring for unusual deletion requests to the Fluent Forms REST API endpoint, specifically the `/wp-json/fluentform/v1/submissions/bulk-actions` endpoint.

An attacker exploits this vulnerability by sending crafted REST API requests that include an authorized form ID but target submission entries from unauthorized forms.

To detect such activity, you can inspect your web server or application logs for POST requests to this endpoint that include mismatched form IDs and submission entry IDs.

  • Use command-line tools like `grep` or `awk` to filter logs for suspicious requests, for example:
  • `grep '/wp-json/fluentform/v1/submissions/bulk-actions' /path/to/access.log`
  • Analyze the request payloads for inconsistencies between the authorized form ID and the submission entry IDs being deleted.

Additionally, monitoring for REST API requests with valid nonces from Manager-level users that perform bulk deletion actions can help identify exploitation attempts.

Mitigation Strategies

The immediate and most effective mitigation is to update the Fluent Forms WordPress plugin to version 6.2.5 or later, where the vulnerability is fixed by properly enforcing form-specific access controls.

If updating immediately is not possible, restrict or disable the Form Manager+ feature for users who do not require it, especially those with Manager-level access.

Additionally, monitor and audit REST API usage to detect and block suspicious deletion requests targeting form submissions.

Limit the number of users with Manager-level permissions and ensure that non-default configurations involving restricted Managers are reviewed for necessity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11578. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart