{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4160", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-13T21:07:52.323Z", "datePublished": "2026-04-16T13:27:09.207Z", "dateUpdated": "2026-04-16T14:12:35.951Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T13:27:09.207Z"}, "affected": [{"vendor": "techjewel", "product": "Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder", "versions": [{"version": "6.1.21", "status": "affected"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to \"failed\")."}], "title": "Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/154fc656-3a33-4783-a941-10bb848244b3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3496638/fluentform"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Prickly Cactus"}], "timeline": [{"time": "2026-03-13T21:57:48.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-16T00:53:13.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T14:12:24.453454Z", "id": "CVE-2026-4160", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:12:35.951Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4160", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T14:12:24.453454Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:12:28.490Z"}}], "cna": {"title": "Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification", "credits": [{"lang": "en", "type": "finder", "value": "Prickly Cactus"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "techjewel", "product": "Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder", "versions": [{"status": "affected", "version": "6.1.21"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-13T21:57:48.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-16T00:53:13.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/154fc656-3a33-4783-a941-10bb848244b3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3496638/fluentform"}], "descriptions": [{"lang": "en", "value": "The Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to \"failed\")."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T13:27:09.207Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4160", "state": "PUBLISHED", "dateUpdated": "2026-04-16T14:12:35.951Z", "dateReserved": "2026-03-13T21:07:52.323Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-16T13:27:09.207Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to \"failed\")."}], "id": "CVE-2026-4160", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-16T14:16:18.167", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3496638/fluentform"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/154fc656-3a33-4783-a941-10bb848244b3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.21"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder", "source": "cna", "vendor": "techjewel"}, "product": "fluent_forms_\u2013_customizable_contact_forms,_survey,_quiz,_&_conversational_form_builder", "vendor": "techjewel"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T02:59:37.607545+00:00", "value": {"mitigation_remediation": ["Upgrade the Fluent Forms plugin to the latest version, where the unauthorized payment status modification vulnerability is fixed.", "Ensure that the Stripe SCA confirmation AJAX endpoint verifies the ownership and role of the requester when handling the submission_id parameter; if it does not, add a capability check or secure token.", "Monitor payment logs for unexpected status changes and apply additional input validation or rate\u2011limiting on the endpoint to reduce the impact of potential abuse."], "summary": {"action": "Patch Now", "impact": "Unauthorized Payment Status Modification"}, "threat_synthesis": {"affected_systems": "Vulnerable software is the Fluent Forms plugin for WordPress, version 6.1.21 and earlier, distributed by the vendor techjewel. No specific WordPress core or other plugin versions are cited. The attacker can target sites running any of these affected plugin versions.", "description_and_impact": "The vulnerability is an insecure direct object reference that allows an unauthenticated attacker to alter the payment status of pending submissions in the Fluent Forms WordPress plugin. The sole parameter \"submission_id\" is accepted without proper ownership or authorization checks, enabling an attacker to change a transaction\u2019s state, such as marking a pending payment as failed. This can disrupt the plugin\u2019s financial workflow, potentially leading to revenue loss or incorrect reporting. The weakness is classified under CWE\u2011639.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score is not available, suggesting limited data about real-world exploitation. The vulnerability is not listed in the CISA KEV catalog, implying limited evidence of active exploitation. The likely attack vector is the AJAX endpoint used for Stripe SCA confirmation, which can be accessed without authentication, allowing crafted HTTP requests to manipulate payment states. Because the root cause is missing authorization checks on the submission_id, an attacker who can send arbitrary requests can alter payment states without needing credentials."}}}}, "created": "2026-04-16T15:30:06.055281+00:00", "updated": "2026-04-17T03:00:08.470852+00:00", "vendors": ["techjewel", "techjewel$PRODUCT$fluent_forms_\u2013_customizable_contact_forms,_survey,_quiz,_&_conversational_form_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}