Skip to main content

Fluent Forms CVE-2026-11880

| EUVDEUVD-2026-40919 LOW
2026-07-01 WPScan GHSA-q7hq-w864-jq32
3.1
CVSS 3.1 · Vendor: WPScan

Severity by source

Vendor (WPScan) PRIMARY
3.1 LOW
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
3.1 LOW

Network-reachable endpoint requires authenticated low-privilege account; subscription ID enumeration raises complexity to High; impact is integrity-only with no confidentiality or availability consequence.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jul 01, 2026 - 11:27 vuln.today
CVSS changed
Jul 01, 2026 - 11:22 NVD
3.1 (LOW)
Patch available
Jul 01, 2026 - 08:01 EUVD
CVE Published
Jul 01, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 01, 2026 - 06:00 cve.org
LOW 3.1

DescriptionCVE.org

The Fluent Forms WordPress plugin before 6.2.1 does not properly verify ownership before processing a subscription cancellation request, allowing authenticated users with a low-privilege account to cancel subscriptions belonging to other users.

AnalysisAI

Subscription cancellation authorization bypass in the Fluent Forms WordPress plugin (all versions before 6.2.1) permits any authenticated low-privilege user to cancel subscriptions belonging to other site members by submitting a crafted request referencing a victim's subscription identifier. The plugin fails to verify that the requesting user owns the referenced subscription before processing the cancellation, a classic Insecure Direct Object Reference (IDOR) pattern. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege WordPress account
Delivery
Enumerate or guess target user subscription IDs
Exploit
Craft cancellation request with victim subscription ID
Execution
Submit request to unprotected cancellation endpoint
Impact
Plugin cancels victim subscription without ownership check

Vulnerability AssessmentAI

Exploitation Exploitation requires an active WordPress account with at minimum subscriber-level (low) privileges, as confirmed by the CVSS PR:L metric - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 3.1 (Low) with vector AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N accurately reflects a constrained threat profile: the attack is network-accessible and requires no user interaction, but demands an authenticated low-privilege account (PR:L) and the ability to enumerate or guess valid subscription IDs owned by other users (AC:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or uses an existing low-privilege subscriber account on a WordPress site running Fluent Forms before 6.2.1 and probes the subscription cancellation endpoint, iterating over plausible subscription ID values. Upon identifying a valid ID belonging to another user, the attacker submits a cancellation request; the plugin processes it without ownership validation, terminating the victim's subscription. …
Remediation Update the Fluent Forms WordPress plugin to version 6.2.1 or later, which introduces proper ownership verification before processing subscription cancellation requests; this is the confirmed vendor-released patch per WPScan and EUVD data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11880 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy