Description
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to "failed").
Published: 2026-04-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Payment Status Modification
Action: Patch Now
AI Analysis

Impact

The vulnerability is an insecure direct object reference that allows an unauthenticated attacker to alter the payment status of pending submissions in the Fluent Forms WordPress plugin. The sole parameter "submission_id" is accepted without proper ownership or authorization checks, enabling an attacker to change a transaction’s state, such as marking a pending payment as failed. This can disrupt the plugin’s financial workflow, potentially leading to revenue loss or incorrect reporting. The weakness is classified under CWE‑639.

Affected Systems

Vulnerable software is the Fluent Forms plugin for WordPress, version 6.1.21 and earlier, distributed by the vendor techjewel. No specific WordPress core or other plugin versions are cited. The attacker can target sites running any of these affected plugin versions.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is not available, suggesting limited data about real-world exploitation. The vulnerability is not listed in the CISA KEV catalog, implying limited evidence of active exploitation. The likely attack vector is the AJAX endpoint used for Stripe SCA confirmation, which can be accessed without authentication, allowing crafted HTTP requests to manipulate payment states. Because the root cause is missing authorization checks on the submission_id, an attacker who can send arbitrary requests can alter payment states without needing credentials.

Generated by OpenCVE AI on April 17, 2026 at 02:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Fluent Forms plugin to the latest version, where the unauthorized payment status modification vulnerability is fixed.
  • Ensure that the Stripe SCA confirmation AJAX endpoint verifies the ownership and role of the requester when handling the submission_id parameter; if it does not, add a capability check or secure token.
  • Monitor payment logs for unexpected status changes and apply additional input validation or rate‑limiting on the endpoint to reduce the impact of potential abuse.

Generated by OpenCVE AI on April 17, 2026 at 02:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Techjewel
Techjewel fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Wordpress
Wordpress wordpress
Vendors & Products Techjewel
Techjewel fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Wordpress
Wordpress wordpress

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Description The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to "failed").
Title Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Techjewel Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-16T14:12:35.951Z

Reserved: 2026-03-13T21:07:52.323Z

Link: CVE-2026-4160

cve-icon Vulnrichment

Updated: 2026-04-16T14:12:28.490Z

cve-icon NVD

Status : Received

Published: 2026-04-16T14:16:18.167

Modified: 2026-04-16T14:16:18.167

Link: CVE-2026-4160

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T03:00:08Z

Weaknesses