Description
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submission_id' parameter due to missing validation on a user controlled key within the confirmScaPayment() function. This makes it possible for unauthenticated attackers to mark arbitrary submissions as failed via crafted requests to the endpoint granted they can guess or enumerate a valid submission identifier.
Published: 2025-12-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Payment Status Tampering
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from a missing validation on the 'submission_id' parameter, allowing an unauthenticated attacker to manipulate the payment status of any submission. Because the confirmScaPayment() function accepts arbitrary IDs, an adversary can craft requests to mark a successful transaction as failed or vice versa, undermining the integrity of payment processing and potentially resulting in financial loss or denial of service for merchants.

Affected Systems

WordPress sites running the Fluent Forms plugin version 6.1.7 or earlier. The affected component is the PaymentMethods module of the plugin (StripeInlineProcessor). Users of the plugin across any WordPress installation are at risk.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3, indicating moderate severity, and an EPSS score of less than 1%, suggesting low observed exploitation likelihood. It is not listed in the CISA KEV catalog. The attack surface is through the unauthenticated endpoint that accepts a 'submission_id', so an attacker only needs to guess or enumerate a valid identifier to tamper with payment status. Because no authentication or rate limiting is enforced, exploitation can be performed remotely with minimal effort, but success depends on the likelihood of discovering a usable submission identifier.

Generated by OpenCVE AI on April 20, 2026 at 21:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Fluent Forms plugin to version 6.1.8 or later, where input validation on 'submission_id' has been implemented.
  • If an upgrade cannot be performed immediately, enforce server‑side validation to ensure the 'submission_id' belongs to the current user or session, or block the confirmScaPayment endpoint for unauthenticated requests.
  • Add rate limiting or IP restrictions to the payment confirmation endpoint to reduce the feasibility of brute‑force enumeration attacks.

Generated by OpenCVE AI on April 20, 2026 at 21:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Dec 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 08 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Dec 2025 06:45:00 +0000

Type Values Removed Values Added
Description The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submission_id' parameter due to missing validation on a user controlled key within the confirmScaPayment() function. This makes it possible for unauthenticated attackers to mark arbitrary submissions as failed via crafted requests to the endpoint granted they can guess or enumerate a valid submission identifier.
Title Fluent Forms <= 6.1.7 - Unauthenticated Insecure Direct Object Reference to Payment Status Tampering via submission_id
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:20:12.805Z

Reserved: 2025-11-26T15:56:07.294Z

Link: CVE-2025-13748

cve-icon Vulnrichment

Updated: 2025-12-08T21:27:37.937Z

cve-icon NVD

Status : Deferred

Published: 2025-12-06T07:15:48.220

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13748

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses