Impact
The vulnerability in the Fluent Forms WordPress plugin allows an authenticated user with only a low‑privilege account to cancel a subscription belonging to another user because the plugin does not verify that the requester owns the subscription before processing the cancellation request. This lack of ownership validation means an attacker can disrupt a subscriber’s service, potentially causing loss of revenue and compromising the integrity of the subscription system. The flaw is an instance of an insecure direct object reference and directly affects the integrity of subscription data and the availability of the subscriber’s service.
Affected Systems
Fluent Forms WordPress plugin versions prior to 6.2.1 are affected. The vulnerability exists in all installations that have not updated to 6.2.1 or later.
Risk and Exploitability
The flaw requires only that the attacker be a logged‑in user, making the attack relatively easy to automate once credentials are obtained. Exploitation can be carried out through normal plugin endpoints by supplying the target subscription identifier. No public exploits are known and the EPSS score is not available, but the absence of the vulnerability from CISA’s KEV catalog does not diminish the risk to systems that remain on vulnerable versions.
OpenCVE Enrichment