Fluent Forms < 6.1.8 – Unauthenticated Payment Status Tampering via IDOR | CVE 2025-13748 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter due to missing validation on a user controlled key within the confirmScaPayment() function. This makes it possible for unauthenticated attackers to mark arbitrary submissions as failed via crafted requests to the endpoint granted they can guess or enumerate a valid submission identifier.

Affects Plugins

Fixed in 6.1.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c2aee799-4e4c-4a41-8b76-e2ad576fe2e2

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

Verified

No

WPVDB ID

be533215-c549-4a4c-8f0d-b86aaf37b1e0

Timeline

Publicly Published

2025-12-05 (about 5 months ago)

Added

2025-12-08 (about 5 months ago)

Last Updated

2025-12-08 (about 5 months ago)

Other

Published

Title

Published

2024-07-09

Title

Paid Memberships Pro - Membership Maps Add On < 0.7 - Contributor+ Sensitive Information Disclosure

Published

2026-05-04

Title

Forminator < 1.52.1 - Unauthenticated Missing Authorization to Payment Bypass

Published

2025-12-31

Title

MyD Delivery <= 1.3.7 - Unauthenticated Insecure Direct Object Reference

Published

2023-01-30

Title

WP Private Message < 1.0.6 - Private Message Disclosure via IDOR

Published

2024-09-25

Title

Salon booking system < 10.9.1 - Authenticated (Subscriber+) Insecure Direct Object Reference