CVE-2026-12400 in FlowForms Plugininfo

Summary

by MITRE • 07/10/2026

The FlowForms – Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.1 via the update_form due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to modify the content, design, and settings of, as well as publish or revert, any form on the site — including forms owned by administrators — by supplying an arbitrary form ID in the REST URL.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The FlowForms plugin for WordPress presents a critical security vulnerability classified as Insecure Direct Object Reference under CWE-639, affecting all versions through 1.1.1. This weakness stems from insufficient input validation within the update_form functionality, which fails to properly authenticate and authorize user requests based on the form identifier provided in REST API calls. The vulnerability specifically manifests when an authenticated attacker with contributor-level privileges or higher manipulates REST endpoints by inserting arbitrary form IDs into the request parameters.

The technical flaw exploits a fundamental lack of access control validation within the plugin's REST API implementation. When processing update_form requests, the system accepts user-supplied form identifiers without verifying whether the authenticated user possesses legitimate authorization to modify the target resource. This absence of proper object reference validation allows malicious actors to bypass normal access controls and gain unauthorized administrative capabilities over any form within the WordPress installation.

Authenticated attackers with contributor-level access can leverage this vulnerability to execute a wide range of malicious activities including modifying form content, altering design elements, changing form settings, publishing or reverting forms, and potentially compromising sensitive data collection processes. The impact extends beyond simple data modification as administrators may lose control over critical customer data forms, leading to potential data breaches, unauthorized information collection, and service disruption. This vulnerability particularly affects organizations relying on FlowForms for sensitive data collection where form integrity and access control are paramount.

The operational consequences of this vulnerability are severe as it enables privilege escalation within the WordPress environment without requiring elevated administrative credentials. Attackers can systematically target forms owned by administrators, potentially accessing confidential information collected through these forms. The REST API endpoint becomes a vector for unauthorized modifications that could go undetected for extended periods. This vulnerability aligns with ATT&CK technique T1078.004 which covers valid accounts and T1566.002 for spearphishing via email, as attackers can leverage existing contributor accounts to gain broader access.

Organizations should immediately implement mitigations including upgrading to the latest plugin version where this vulnerability has been addressed, implementing proper input validation on all REST API endpoints, and restricting REST API access to trusted IP addresses or implementing additional authentication layers. The recommended solution involves validating form ownership through proper user authorization checks before processing any update requests, ensuring that users can only modify forms they legitimately own or have explicit permission to edit. Additionally, administrators should audit existing contributor accounts and review user permissions to minimize the attack surface.

Responsible

Wordfence

Reservation

06/16/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!