{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40784", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-15T09:20:42.117Z", "datePublished": "2026-04-15T10:21:35.828Z", "dateUpdated": "2026-04-15T15:43:56.980Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "fluent-boards", "product": "FluentBoards", "vendor": "Mahmudul Hasan Arif", "versions": [{"changes": [{"at": "1.91.3", "status": "unaffected"}], "lessThanOrEqual": "1.91.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jakub Herman | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-15T12:20:49.447Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects FluentBoards: from n/a through <= 1.91.2.</p>"}], "value": "Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentBoards: from n/a through <= 1.91.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-15T10:21:35.828Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/fluent-boards/vulnerability/wordpress-fluentboards-plugin-1-91-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "title": "WordPress FluentBoards plugin <= 1.91.2 - Insecure Direct Object References (IDOR) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T15:43:41.106937Z", "id": "CVE-2026-40784", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:43:56.980Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-40784", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T15:43:41.106937Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:43:28.450Z"}}], "cna": {"title": "WordPress FluentBoards plugin <= 1.91.2 - Insecure Direct Object References (IDOR) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jakub Herman | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Mahmudul Hasan Arif", "product": "FluentBoards", "versions": [{"status": "affected", "changes": [{"at": "1.91.3", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.91.2"}], "packageName": "fluent-boards", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-15T12:20:49.447Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/fluent-boards/vulnerability/wordpress-fluentboards-plugin-1-91-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentBoards: from n/a through <= 1.91.2.", "supportingMedia": [{"type": "text/html", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects FluentBoards: from n/a through <= 1.91.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-15T10:21:35.828Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40784", "state": "PUBLISHED", "dateUpdated": "2026-04-15T15:43:56.980Z", "dateReserved": "2026-04-15T09:20:42.117Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-15T10:21:35.828Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentBoards: from n/a through <= 1.91.2."}], "id": "CVE-2026-40784", "lastModified": "2026-04-15T16:16:38.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.3, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-15T11:16:37.030", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/fluent-boards/vulnerability/wordpress-fluentboards-plugin-1-91-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.91.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "FluentBoards", "source": "cna", "vendor": "Mahmudul Hasan Arif"}, "product": "fluentboards", "vendor": "mahmudul_hasan_arif"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T11:21:09.900271+00:00", "value": {"mitigation_remediation": ["Upgrade FluentBoards to the latest released version (>=\u202f1.91.3) which removes the IDOR flaw", "Disable or uninstall FluentBoards if it is not required for site functionality", "Configure WordPress and the plugin to enforce strict role\u2011based access controls, ensuring that all object identifiers are validated server\u2011side against the requesting user\u2019s permissions"], "summary": {"action": "Immediate patch", "impact": "Authorization bypass via IDOR"}, "threat_synthesis": {"affected_systems": "Affected is the FluentBoards plugin for WordPress, authored by Mahmudul Hasan Arif. All releases up to and including version\u202f1.91.2 are vulnerable. No specific patch version is listed in the CNA data.", "description_and_impact": "WordPress plugin FluentBoards suffers from an Insecure Direct Object Reference (IDOR) flaw that allows an attacker to bypass authorization controls by supplying a user\u2011controlled key. This leads to unauthorized access to, edit, or delete resources such as boards, tasks, or other object types governed by the plugin. The weakness is classified as CWE\u2011639.", "risk_and_exploitability": "Given that the EPSS score is not available and the vulnerability is not listed in CISA KEV, the risk remains unquantified; however, exploitation requires only moderate effort. Based on the description, it is inferred that an attacker can construct requests with guessed or enumerated object identifiers to read or manipulate protected data. The likely attack vector is remote via the web, assuming the attacker can access the WordPress site. No evidence of active exploitation is reported, but the flaw enables privilege escalation within the WordPress installation."}}}}, "created": "2026-04-15T13:38:28.755767+00:00", "updated": "2026-04-15T14:52:57.359088+00:00", "vendors": ["mahmudul_hasan_arif", "mahmudul_hasan_arif$PRODUCT$fluentboards", "wordpress", "wordpress$PRODUCT$wordpress"]}