CVE-2026-4160
Medium
Low
Medium
High
Critical
5.3
CVSS Score
Vulnerability Description
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to "failed").
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
N
Attack Complexity
L
Privileges Required
N
User Interaction
N
Scope
U
Confidentiality
N
Integrity
L
Availability
N
Severity Details
5.3
out of 10.0
Medium
Weakness Type (CWE)
CWE-639
Authorization Bypass Through User-Controlled Key
- Description
- The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
- Exploit Likelihood
- High
- Typical Severity
- High
- Abstraction Level
- Base
Key Information
- Published Date
- April 16, 2026
