{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25313", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:20:39.016Z", "datePublished": "2026-02-19T08:26:53.940Z", "dateUpdated": "2026-04-28T16:14:54.620Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "fluentform", "product": "FluentForm", "vendor": "Shahjahan Jewel", "versions": [{"changes": [{"at": "6.1.15", "status": "unaffected"}], "lessThanOrEqual": "6.1.14", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "benzdeus | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:02.908Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Shahjahan Jewel FluentForm fluentform allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects FluentForm: from n/a through <= 6.1.14.</p>"}], "value": "Missing Authorization vulnerability in Shahjahan Jewel FluentForm fluentform allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentForm: from n/a through <= 6.1.14."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:54.620Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/fluentform/vulnerability/wordpress-fluentform-plugin-6-1-14-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress FluentForm plugin <= 6.1.14 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T16:49:53.292391Z", "id": "CVE-2026-25313", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:54:24.623Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25313", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T16:49:53.292391Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T16:48:48.000Z"}}], "cna": {"title": "WordPress FluentForm plugin <= 6.1.14 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "benzdeus | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Shahjahan Jewel", "product": "FluentForm", "versions": [{"status": "affected", "changes": [{"at": "6.1.15", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "6.1.14"}], "packageName": "fluentform", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:39.601Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/fluentform/vulnerability/wordpress-fluentform-plugin-6-1-14-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Shahjahan Jewel FluentForm fluentform allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentForm: from n/a through <= 6.1.14.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Shahjahan Jewel FluentForm fluentform allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects FluentForm: from n/a through <= 6.1.14.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:48.778Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25313", "state": "PUBLISHED", "dateUpdated": "2026-04-28T12:54:24.623Z", "dateReserved": "2026-02-02T12:20:39.016Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:26:53.940Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Shahjahan Jewel FluentForm fluentform allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentForm: from n/a through <= 6.1.14."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en Shahjahan Jewel FluentForm fluentform permite la explotaci\u00f3n de niveles de seguridad de control de acceso mal configurados. Este problema afecta a FluentForm: desde n/a hasta &lt;= 6.1.14."}], "id": "CVE-2026-25313", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:15.490", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/fluentform/vulnerability/wordpress-fluentform-plugin-6-1-14-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.1.14]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "6.1.15"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "FluentForm", "source": "cna", "vendor": "Shahjahan Jewel"}, "product": "fluentform", "vendor": "shahjahan_jewel"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:32:58.543462+00:00", "value": {"mitigation_remediation": ["Update the FluentForm plugin to a version newer than 6.1.14 (ideally 6.1.15 or later) to apply the vendor\u2011supplied fix for the access control flaw.", "If an immediate update is not possible, temporarily restrict access to the plugin\u2019s administrative interface by limiting the IP range that can reach the site or by using a WordPress security plugin to enforce stricter role\u2011based controls for form management.", "Review and audit WordPress user roles and capabilities, ensuring that only trusted administrators have permission to add or edit forms, and remove unnecessary high\u2011privilege roles from non\u2011admin users."], "summary": {"action": "Patch", "impact": "Unauthorized Access and Potential Data Exposure"}, "threat_synthesis": {"affected_systems": "All installations of the WordPress FluentForm plugin by Shahjahan Jewel using version 6.1.14 or earlier are affected. No version prior to 6.1.15 is vulnerable. The flaw spans from the earliest available release through the listed maximum version, and there is no known partial patch for intermediate releases.", "description_and_impact": "The vulnerability is a missing authorization flaw in the FluentForm plugin. It allows attackers to bypass configured access control levels, potentially accessing or manipulating forms and data that should be restricted. This flaw maps to CWE\u2011862 and can lead to unauthorized disclosure, modification, or deletion of sensitive form content.", "risk_and_exploitability": "The CVSS score of 4.3 reflects a low\u2011to\u2011moderate risk, and the EPSS score of less than 1% indicates a very low likelihood of exploitation in the field. The vulnerability is not present in CISA\u2019s KEV catalog. The likely attack vector is a web attacker sending crafted HTTP requests to privileged plugin endpoints, exploiting the broken access control to read or modify form data without proper authorization. Because the flaw bypasses the plugin\u2019s internal permission checks, an attacker with minimal or no credentials could potentially gain unauthorized access to sensitive forms or user data."}}}}, "created": "2026-02-20T10:09:09.250732+00:00", "updated": "2026-04-16T00:45:15.961803+00:00", "vendors": ["shahjahan_jewel", "shahjahan_jewel$PRODUCT$fluentform", "wordpress", "wordpress$PRODUCT$wordpress"]}