Share
## https://sploitus.com/exploit?id=26028749-2DDF-5579-A012-E72718794A87
# CVE-2026-12400 โ€” FlowForms IDOR: Unauthorized Form Modification

> **Authenticated (Contributor+) Insecure Direct Object Reference to Arbitrary Form Modification in FlowForms โ‰ค 1.1.1**

## Vulnerability Overview

| Property        | Value                                                                                                |
| --------------- | ---------------------------------------------------------------------------------------------------- |
| **CVE ID**      | CVE-2026-12400                                                                                       |
| **CVSS Score**  | **6.4 โ€” Medium**                                                                                     |
| **CVSS Vector** | `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N`                                                      |
| **CWE**         | CWE-639 (Authorization Bypass Through User-Controlled Key)                                           |
| **Product**     | [FlowForms](https://wordpress.org/plugins/flowforms/) โ€” WordPress Conversational Form Builder Plugin |
| **Affected**    | All versions up to and including **1.1.1**                                                           |
| **Fixed In**    | Not Fixed at time of disclosure                                                                      |
| **Researcher**  | [Phantom Hat](https://medium.com/@phantom_hat)                                                       |

---

## Technical Analysis

Full white-box case study with source code analysis, input flow tracing, and patch diffing:

> ๐Ÿ“„ [CVE-2026-12400 Case Study โ€” Medium](https://medium.com/@phantom_hat/cve-2026-12400-case-study-flowforms-1-1-1-b5c06f4e0d71)

### Attack Surface

FlowForms exposes two REST API endpoints under the `flowforms/v1` namespace that are vulnerable:

```
POST /index.php?rest_route=/flowforms/v1/forms/{id}
POST /index.php?rest_route=/flowforms/v1/forms/{id}/settings
```

Both accept a user-controlled `{id}` in the URL path and modify the target form's data โ€” name, content, layout, redirect URL, and email notification recipients.

### Root Cause

Both vulnerable route registrations share the same flawed `permission_callback`:

```php
// Update form content / name
register_rest_route($ns, '/forms/(?P\d+)', [
    'methods'             => WP_REST_Server::EDITABLE,
    'callback'            => [$this, 'update_form'],
    'permission_callback' => fn() => current_user_can('edit_posts'),
]);

// Update form settings (email notifications, layout, etc.)
register_rest_route($ns, '/forms/(?P\d+)/settings', [
    'methods'             => WP_REST_Server::EDITABLE,
    'callback'            => [$this, 'update_settings'],
    'permission_callback' => fn() => current_user_can('edit_posts'),
]);
```

`edit_posts` is a capability held by **Contributors**. The `{id}` parameter is never checked against the requesting user's ownership โ€” any authenticated user can target any form ID on the site.

### Attack Flow

```
Attacker (Contributor)              FlowForms REST API
        โ”‚                                   โ”‚
        โ”‚โ”€โ”€ POST /wp-login.php โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€>โ”‚  (1) Authenticate as Contributor
        โ”‚โ”‚  (2) Harvest REST nonce
        โ”‚โ”‚  (3) Enumerate published forms
        โ”‚โ”‚       โ† no owner check
        โ”‚โ”‚       โ† attacker receives all
        โ”‚ fn() => current_user_can('edit_posts'),

// SECURE (patched)
private function can_edit_form($form_id) {
    return current_user_can('edit_post', $form_id);
}

'permission_callback' => fn($request) => $this->can_edit_form(absint($request['id'])),
```

---

## References

- [CWE-639 โ€” Authorization Bypass Through User-Controlled Key](https://cwe.mitre.org/data/definitions/639.html)
- [register_rest_route() โ€” WordPress Developer Docs](https://developer.wordpress.org/reference/functions/register_rest_route/)
- [current_user_can() โ€” WordPress Developer Docs](https://developer.wordpress.org/reference/functions/current_user_can/)
- [FlowForms Plugin โ€” WordPress.org](https://wordpress.org/plugins/flowforms/)

---

## Project Structure

```
CVE-2026-12400-FlowForms-IDOR-Exploit/
โ”œโ”€โ”€ CVE-2026-12400-exploit.py   # Polished exploit with rich UI (3 modes)
โ”œโ”€โ”€ requirements.txt            # Python dependencies
โ””โ”€โ”€ README.md                   # This file
```

---

## Disclaimer

> **This tool is provided for authorized security testing and educational research purposes only.**
> Unauthorized access to computer systems is illegal under applicable laws worldwide.
> The author assumes no liability for misuse of this software.
> Always obtain explicit written permission before testing any system you do not own.

---

## Author

**Phantom Hat** โ€” Independent Security Researcher

- Medium: [@phantom_hat](https://medium.com/@phantom_hat)
- GitHub: [0x00phantom-hat](https://github.com/0x00phantom-hat)

---

*This research was conducted as part of responsible vulnerability disclosure.*