WordPress Plugin Vulnerabilities

Fluent Forms < 6.1.15 - Subscriber+ Missing Authorization

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on a function, making it possible for authenticated attackers with Subscriber-level access and above to perform an unauthorized action.

Affects Plugins

Plugin icon
fluentform
Fixed in 6.1.15

References

CVE
CVE-2026-25313
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5a85c367-99f5-4a46-94bc-ed6e6626514b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
benzdeus
Verified
No
WPVDB ID
f2fb3cb1-f1da-40f5-8559-8058cb094310

Timeline

Publicly Published
2026-01-25 (about 4 months ago)
Added
2026-05-04 (about 1 month ago)
Last Updated
2026-05-04 (about 1 month ago)

Other

Published
Title
Published
2024-09-05
Title
AI Assistant with ChatGPT by AYS <= 2.0.9 - Unauthenticated AJAX Calls
Published
2023-09-05
Title
Automatic YouTube Gallery < 2.3.5 - Missing Authorization via AJAX actions
Published
2024-11-22
Title
WPDash Notes <= 1.3.5 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure
Published
2026-03-20
Title
WP Terms Popup – Terms and Conditions and Privacy Policy WordPress Popups < 2.11.0 - Missing Authorization
Published
2026-02-18
Title
NitroPack < 1.19.4 - Missing Authorization