Skip to main content

Fluent Forms

1 CVEs product

Monthly

CVE-2026-11880 LOW POC PATCH Monitor

Subscription cancellation authorization bypass in the Fluent Forms WordPress plugin (all versions before 6.2.1) permits any authenticated low-privilege user to cancel subscriptions belonging to other site members by submitting a crafted request referencing a victim's subscription identifier. The plugin fails to verify that the requesting user owns the referenced subscription before processing the cancellation, a classic Insecure Direct Object Reference (IDOR) pattern. A public proof-of-concept is available via WPScan; no confirmed active exploitation campaign (CISA KEV) has been identified at time of analysis, and the CVSS base score of 3.1 reflects the limited, integrity-only impact.

WordPress Information Disclosure Fluent Forms
NVD WPScan VulDB
CVSS 3.1
3.1
EPSS
0.1%
EPSS 0% CVSS 3.1
LOW POC PATCH Monitor

Subscription cancellation authorization bypass in the Fluent Forms WordPress plugin (all versions before 6.2.1) permits any authenticated low-privilege user to cancel subscriptions belonging to other site members by submitting a crafted request referencing a victim's subscription identifier. The plugin fails to verify that the requesting user owns the referenced subscription before processing the cancellation, a classic Insecure Direct Object Reference (IDOR) pattern. A public proof-of-concept is available via WPScan; no confirmed active exploitation campaign (CISA KEV) has been identified at time of analysis, and the CVSS base score of 3.1 reflects the limited, integrity-only impact.

WordPress Information Disclosure Fluent Forms
NVD WPScan VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy