CVE-2026-11578
Description
The Fluent Forms WordPress plugin before 6.2.5 does not properly restrict the deletion of form submission entries to the forms a restricted Manager is authorized to manage, allowing a Manager limited to specific forms to permanently delete submission entries belonging to other forms. This requires a non-default configuration in which an administrator has created at least one Manager restricted to specific forms.
Metadata
Severity & Metrics
No CVSS data available.
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Unknown | Fluent Forms | — | 0 < 6.2.5 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| — | cna | CWE-639 Authorization Bypass Through User-Controlled Key |