CVE-2026-4160

MEDIUM

Fluent Forms < 6.1.21 - IDOR

Title source: rule

Description

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to "failed").

References (2)

https://www.wordfence.com/threat-intel/vulnerabilities/id/154fc656-3a33-4783-a941-10bb848244b3?source=cve

https://plugins.trac.wordpress.org/changeset/3496638/fluentform

Scores

CVSS v3 5.3

EPSS 0.0004

EPSS Percentile 11.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-639

Status published

Products (1)

techjewel/Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder 6.1.21

Published Apr 16, 2026

Tracked Since Apr 16, 2026