CVE-2026-11880
Received Received - Intake

Fluent Forms Subscription Cancellation Privilege Escalation

Vulnerability report for CVE-2026-11880, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: WPScan

Description

The Fluent Forms WordPress plugin before 6.2.1 does not properly verify ownership before processing a subscription cancellation request, allowing authenticated users with a low-privilege account to cancel subscriptions belonging to other users.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpforms fluent_forms to 6.2.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-11880 is a vulnerability in the Fluent Forms WordPress plugin versions before 6.2.1. It occurs when the Payments module is enabled with a Stripe gateway and the setting "Users can manage their subscriptions" is active.

The issue is an Insecure Direct Object Reference (IDOR), meaning the plugin does not properly verify ownership before processing subscription cancellation requests.

This allows authenticated users with low-privilege accounts (such as Subscribers) to cancel subscriptions that belong to other users.

An attacker exploits this by logging in as a Subscriber, obtaining a nonce value from a page with the [fluentform_payments] shortcode, and sending a crafted POST request with the victim's subscription ID and the attacker's nonce to the WordPress admin-ajax.php endpoint. The server then cancels the victim's subscription without proper authorization.

This vulnerability is classified as an IDOR and relates to broken access control.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users with low privileges to cancel subscriptions that do not belong to them.

As a result, legitimate users may lose access to paid services or products without their consent, potentially causing service disruption and customer dissatisfaction.

It may also lead to financial loss or administrative overhead to restore or manage affected subscriptions.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the WordPress admin-ajax.php endpoint that include subscription cancellation actions initiated by low-privilege authenticated users.

Specifically, an attacker exploits the vulnerability by sending a crafted POST request containing a victim's subscription ID and a valid nonce value obtained from the [fluentform_payments] shortcode page source.

To detect potential exploitation attempts, you can search your web server logs or use network monitoring tools to identify POST requests to admin-ajax.php with parameters related to subscription cancellation from subscriber-level accounts.

  • Use grep or similar tools to find POST requests to admin-ajax.php containing subscription cancellation parameters, for example:
  • grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'cancel_subscription'
  • Monitor for unusual subscription cancellation activities initiated by low-privilege users.
Mitigation Strategies

The immediate mitigation step is to update the Fluent Forms WordPress plugin to version 6.2.1 or later, where this vulnerability has been patched.

If updating immediately is not possible, consider disabling the Payments module or the Stripe gateway configuration temporarily, or disable the "Users can manage their subscriptions" setting to prevent low-privilege users from cancelling subscriptions.

Additionally, monitor your logs for suspicious subscription cancellation requests and restrict access to the admin-ajax.php endpoint where possible.

Compliance Impact

The vulnerability allows authenticated low-privilege users to cancel subscriptions belonging to other users without proper authorization, which constitutes a broken access control issue (IDOR).

Such unauthorized access and manipulation of user subscription data could potentially lead to non-compliance with data protection regulations like GDPR or HIPAA, as it involves improper handling of user data and could result in unauthorized actions on user accounts.

However, the provided information does not explicitly state the direct impact on compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11880. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart