Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Network-accessible AJAX endpoint requires only subscriber auth (PR:L); no confidentiality leak; integrity and availability both low from subscription cancellation.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscription_id' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit cancellation requests for other users' subscriptions.
AnalysisAI
Incorrect authorization in the Fluent Forms WordPress plugin (versions up to and including 6.2.1) enables any authenticated subscriber-level user to cancel payment subscriptions belonging to other users by supplying an arbitrary 'subscription_id' in the payment cancellation AJAX endpoint. The payment cancellation flow performs no ownership check - only that the user is authenticated - making this a classic IDOR (Insecure Direct Object Reference) under CWE-863. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid WordPress account on the target site at subscriber level or above - meaning the site must permit user registration, or the attacker must have obtained credentials through another means. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.4 (Medium) is consistent with the attack profile: network-reachable (AV:N), low complexity (AC:L), low privilege required (PR:L), no user interaction (UI:N), with low integrity and low availability impact (I:L/A:L) and no confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a subscriber-level WordPress account sends crafted AJAX cancellation requests to the Fluent Forms payment endpoint, substituting arbitrary subscription IDs belonging to other users. Because the endpoint validates authentication but not ownership, each request successfully cancels the targeted subscription. … |
| Remediation | Upgrade the Fluent Forms plugin to a version beyond 6.2.1; the fix has been committed to the WordPress plugin repository as changeset 3513845 (https://plugins.trac.wordpress.org/changeset/3513845/fluentform), though the exact patched release version is not independently confirmed from the available data - verify via the WordPress plugin changelog or Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/e7521577-ce13-4b60-ae11-9c0f9c077cf9. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42778
GHSA-hmr3-xc3f-vfcx