Authorization Flaw in Fluent Forms Plugin for WordPress
CVE-2026-5069

5.4MEDIUM

What is CVE-2026-5069?

The Fluent Forms plugin for WordPress contains a vulnerability that allows authenticated users with basic subscriber-level access to manipulate subscription cancellation requests. This arises from inadequate authorization checks within the AJAX flow addressing payment cancellations, enabling potential attackers to cancel subscriptions held by other users. It is essential for website administrators using this plugin to implement appropriate security measures and apply necessary updates to mitigate any associated risks.

Affected Version(s)

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder 0 <= 6.2.1

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Fernando Mecozzi
.