WordPress Plugin Vulnerabilities

FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration < 1.91.3 - Authenticated (Board Member+) Insecure Direct Object Reference

Description

The FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.91.2 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Custom-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
fluent-boards
Fixed in 1.91.3

References

CVE
CVE-2026-40784
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/12959cc5-d088-4e2c-8658-e54900839aa6

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jakub Herman
Verified
No
WPVDB ID
999cf3c9-c488-4b34-a594-3134a5b66ba4

Timeline

Publicly Published
2026-04-15 (about 1 month ago)
Added
2026-04-21 (about 1 month ago)
Last Updated
2026-04-21 (about 1 month ago)

Other

Published
Title
Published
2025-12-03
Title
HUSKY – Products Filter Professional for WooCommerce < 1.3.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_query/woof_remove_query'
Published
2023-12-05
Title
WP Photo Album Plus < 8.6.01.003 - Insecure Direct Object Reference
Published
2025-10-08
Title
Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme < 1.5.0 - Authenticated (Subscriber+) Privilege Escalation
Published
2023-11-03
Title
Youzify < 1.2.3 - Insecure Direct Object Reference
Published
2024-07-18
Title
GiveWP – Donation Plugin and Fundraising Platform < 3.14.0 - Insecure Direct Object Reference to Authenticated (GiveWP Worker+) Arbitrary Post Actions