Vulnerabilities ›

CVE-2026-4160

Medium

CWE-639 — Weakness Type

                    Published: Apr 16, 2026                      ·  Modified: Apr 19, 2026                      ·  Source: NVD                

CVSS v3

5.3

🔗 NVD Official

📄 Description (English)

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to "failed").

🤖 AI Executive Summary

The Fluent Forms WordPress plugin versions up to 6.1.21 contain an Insecure Direct Object Reference vulnerability in the Stripe SCA confirmation endpoint that allows unauthenticated attackers to modify payment statuses of pending submissions. Attackers can change submission payment status to 'failed' without proper authorization or ownership validation.

📄 Description (Arabic)

يحتوي مكون Fluent Forms للـ WordPress على ثغرة Insecure Direct Object Reference في نقطة نهاية تأكيد Stripe SCA التي تسمح للمهاجمين غير المصرح لهم بتعديل حالات الدفع للطلبات المعلقة. تفتقد نقطة النهاية إلى التحقق من التفويض والملكية على معامل submission_id الذي يتحكم فيه المستخدم.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 30, 2026 03:48

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

banking telecom government healthcare

🎯 MITRE ATT&CK Techniques

T1190 T1566

⚖️ Saudi Risk Score (AI)

6.0

/ 10.0

🔧 Remediation Steps (English)

Update Fluent Forms plugin to version 6.1.22 or later immediately. Implement proper authorization checks and ownership validation on the submission_id parameter in the Stripe SCA confirmation AJAX endpoint. Review and audit all payment-related endpoints for similar authorization bypass vulnerabilities.

🔧 خطوات المعالجة (العربية)

قم بتحديث مكون Fluent Forms إلى الإصدار 6.1.22 أو أحدث فوراً. قم بتنفيذ فحوصات التفويض المناسبة والتحقق من ملكية معرف الطلب في نقطة نهاية AJAX لتأكيد Stripe SCA. قم بمراجعة وتدقيق جميع نقاط النهاية المتعلقة بالدفع للبحث عن ثغرات تجاوز التفويض المماثلة.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 5.1.2

🔵 SAMA CSF

AC-2 AC-3

🟡 ISO 27001:2022

A.9.2.1 A.9.4.3

🔗 References & Sources 2

🔗

https://plugins.trac.wordpress.org/changeset/3496638/fluentform

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/154fc656-3a33-4783-a941-10bb8...

security@wordfence.com

📊 CVSS Score

5.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score5.3

CWECWE-639

EPSS0.04%

Exploit No

Patch ✗ No

Published 2026-04-16

Source Feed nvd

🇸🇦 Saudi Risk Score

6.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

CWE-639

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-4160

💬 Comments

Introduce Yourself

Sign In Required