WordPress Plugin Vulnerabilities

Fluent Forms < 6.2.0 - Unauthenticated Payment Status Modification via IDOR

Description

The plugin is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to "failed").

Affects Plugins

Plugin icon
fluentform
Fixed in 6.2.0

References

CVE
CVE-2026-4160
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/154fc656-3a33-4783-a941-10bb848244b3

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Prickly Cactus
Verified
No
WPVDB ID
9cc4d1b3-eb32-401e-9add-d2324b8c1834

Timeline

Publicly Published
2026-04-16 (about 27 days ago)
Added
2026-04-16 (about 27 days ago)
Last Updated
2026-04-16 (about 27 days ago)

Other

Published
Title
Published
2025-12-31
Title
MyD Delivery <= 1.3.7 - Unauthenticated Insecure Direct Object Reference
Published
2023-06-22
Title
WooCommerce Payments < 4.5.1 - Intent Parameter Tampering
Published
2024-09-05
Title
WP-Recall – Registration, Profile, Commerce & More < 16.26.9 - Insecure Direct Object Reference to Unauthenticated Arbitrary Password Update
Published
2025-04-11
Title
User Registration & Membership – Custom Registration Form, Login Form, and User Profile < 4.1.4 - Insecure Direct Object Reference to Unauthenticated Membership Modification
Published
2025-04-23
Title
Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) <= 4.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Order Information Disclosure