CVE-2026-11880 PUBLISHED

Fluent Forms < 6.2.1 - Subscriber+ Subscription Cancellation via IDOR

Assigner: WPScan
Reserved: 10.06.2026 Published: 01.07.2026 Updated: 01.07.2026

The Fluent Forms WordPress plugin before 6.2.1 does not properly verify ownership before processing a subscription cancellation request, allowing authenticated users with a low-privilege account to cancel subscriptions belonging to other users.

Product Status

Vendor Unknown
Product Fluent Forms
Versions Default: unaffected
  • affected from 0 to 6.2.1 (excl.)

Credits

  • Pedro Pinho finder
  • WPScan coordinator

References

Problem Types

  • CWE-639 Authorization Bypass Through User-Controlled Key CWE