CVE-2026-4160

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification

Assigner: Wordfence
Reserved: 13.03.2026 Published: 16.04.2026 Updated: 16.04.2026

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to "failed").

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	techjewel
Product	Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Versions	Default: unaffected Version 6.1.21 is affected

Vendor

techjewel

Product

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Versions

Default: unaffected

Version 6.1.21 is affected

Credits

Prickly Cactus finder

References

Problem Types