CVE-2026-4160

MEDIUM

Fluent Forms <= 6.1.21 - Unauthenticated IDOR via Stripe SCA Confirmation

Title source: llm

Description

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to "failed").

References (2)

Core 2

Core References

https://www.wordfence.com/threat-intel/vulnerabilities/id/154fc656-3a33-4783-a941-10bb848244b3?source=cve

https://plugins.trac.wordpress.org/changeset/3496638/fluentform

Scores

CVSS v3 5.3

EPSS 0.0031

EPSS Percentile 21.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (1)

techjewel/Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder 6.1.21

Published Apr 16, 2026

Tracked Since Apr 16, 2026