## https://sploitus.com/exploit?id=26028749-2DDF-5579-A012-E72718794A87
# CVE-2026-12400 โ FlowForms IDOR: Unauthorized Form Modification
> **Authenticated (Contributor+) Insecure Direct Object Reference to Arbitrary Form Modification in FlowForms โค 1.1.1**
## Vulnerability Overview
| Property | Value |
| --------------- | ---------------------------------------------------------------------------------------------------- |
| **CVE ID** | CVE-2026-12400 |
| **CVSS Score** | **6.4 โ Medium** |
| **CVSS Vector** | `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N` |
| **CWE** | CWE-639 (Authorization Bypass Through User-Controlled Key) |
| **Product** | [FlowForms](https://wordpress.org/plugins/flowforms/) โ WordPress Conversational Form Builder Plugin |
| **Affected** | All versions up to and including **1.1.1** |
| **Fixed In** | Not Fixed at time of disclosure |
| **Researcher** | [Phantom Hat](https://medium.com/@phantom_hat) |
---
## Technical Analysis
Full white-box case study with source code analysis, input flow tracing, and patch diffing:
> ๐ [CVE-2026-12400 Case Study โ Medium](https://medium.com/@phantom_hat/cve-2026-12400-case-study-flowforms-1-1-1-b5c06f4e0d71)
### Attack Surface
FlowForms exposes two REST API endpoints under the `flowforms/v1` namespace that are vulnerable:
```
POST /index.php?rest_route=/flowforms/v1/forms/{id}
POST /index.php?rest_route=/flowforms/v1/forms/{id}/settings
```
Both accept a user-controlled `{id}` in the URL path and modify the target form's data โ name, content, layout, redirect URL, and email notification recipients.
### Root Cause
Both vulnerable route registrations share the same flawed `permission_callback`:
```php
// Update form content / name
register_rest_route($ns, '/forms/(?P\d+)', [
'methods' => WP_REST_Server::EDITABLE,
'callback' => [$this, 'update_form'],
'permission_callback' => fn() => current_user_can('edit_posts'),
]);
// Update form settings (email notifications, layout, etc.)
register_rest_route($ns, '/forms/(?P\d+)/settings', [
'methods' => WP_REST_Server::EDITABLE,
'callback' => [$this, 'update_settings'],
'permission_callback' => fn() => current_user_can('edit_posts'),
]);
```
`edit_posts` is a capability held by **Contributors**. The `{id}` parameter is never checked against the requesting user's ownership โ any authenticated user can target any form ID on the site.
### Attack Flow
```
Attacker (Contributor) FlowForms REST API
โ โ
โโโ POST /wp-login.php โโโโโโโโโโโโ>โ (1) Authenticate as Contributor
โโ (2) Harvest REST nonce
โโ (3) Enumerate published forms
โโ โ no owner check
โโ โ attacker receives all
โ fn() => current_user_can('edit_posts'),
// SECURE (patched)
private function can_edit_form($form_id) {
return current_user_can('edit_post', $form_id);
}
'permission_callback' => fn($request) => $this->can_edit_form(absint($request['id'])),
```
---
## References
- [CWE-639 โ Authorization Bypass Through User-Controlled Key](https://cwe.mitre.org/data/definitions/639.html)
- [register_rest_route() โ WordPress Developer Docs](https://developer.wordpress.org/reference/functions/register_rest_route/)
- [current_user_can() โ WordPress Developer Docs](https://developer.wordpress.org/reference/functions/current_user_can/)
- [FlowForms Plugin โ WordPress.org](https://wordpress.org/plugins/flowforms/)
---
## Project Structure
```
CVE-2026-12400-FlowForms-IDOR-Exploit/
โโโ CVE-2026-12400-exploit.py # Polished exploit with rich UI (3 modes)
โโโ requirements.txt # Python dependencies
โโโ README.md # This file
```
---
## Disclaimer
> **This tool is provided for authorized security testing and educational research purposes only.**
> Unauthorized access to computer systems is illegal under applicable laws worldwide.
> The author assumes no liability for misuse of this software.
> Always obtain explicit written permission before testing any system you do not own.
---
## Author
**Phantom Hat** โ Independent Security Researcher
- Medium: [@phantom_hat](https://medium.com/@phantom_hat)
- GitHub: [0x00phantom-hat](https://github.com/0x00phantom-hat)
---
*This research was conducted as part of responsible vulnerability disclosure.*