CVE-2025-13748
BaseFortify
Publication date: 2025-12-06
Last updated on: 2025-12-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fluent_forms | fluent_forms | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Insecure Direct Object Reference (IDOR) in the Fluent Forms WordPress plugin up to version 6.1.7. It occurs because the 'submission_id' parameter in the confirmScaPayment() function lacks proper validation. This allows unauthenticated attackers to manipulate the parameter to mark arbitrary form submissions as failed if they can guess or enumerate valid submission IDs.
How can this vulnerability impact me? :
The vulnerability allows unauthenticated attackers to mark arbitrary form submissions as failed, potentially disrupting form processing or workflows that depend on submission status. This could lead to denial of service for legitimate submissions or manipulation of submission outcomes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring requests to the endpoint handling the 'submission_id' parameter for unusual or unauthorized attempts to mark submissions as failed. Since the vulnerability involves unauthenticated crafted requests with guessed or enumerated submission IDs, inspecting web server logs for repeated or suspicious POST requests to the payment confirmation endpoints related to Fluent Forms may help. Additionally, enabling WP_DEBUG and monitoring logs for warnings related to nonce validation failures can assist in detection. Specific commands depend on your environment, but for example, using grep on web server logs to find requests containing 'submission_id' or '_ff_stripe_nonce' parameters can be useful. Example: `grep 'submission_id' /var/log/apache2/access.log` or `grep '_ff_stripe_nonce' /var/log/apache2/access.log`. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Fluent Forms plugin to version 6.1.8 or later, which includes security enhancements such as nonce-based verification for SCA confirmation requests, strict nonce validation modes, and improved validation of payment intents to prevent unauthorized marking of submissions as failed. If updating immediately is not possible, enabling WP_DEBUG to monitor suspicious activity and restricting access to the payment confirmation endpoints may help reduce risk temporarily. [2]