Fluent Forms plugin allows attackers to change payment status on pending submissions

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.3

Fluent Forms plugin allows attackers to change payment status on pending submissions

CVE-2026-4160

Summary

The Fluent Forms plugin for WordPress has a security flaw that allows unauthorized users to change the payment status of pending submissions. This could allow attackers to trick people into thinking a payment was successful when it wasn't. To fix the issue, update the plugin to version 6.1.22 or later.

Original title

Original description

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to "failed").

nvd CVSS3.1 5.3

Vulnerability type

CWE-639 Authorization Bypass Through User-Controlled Key

Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 16 Apr 2026