CVE-2026-5069
Received Received - Intake

Fluent Forms WordPress Plugin Authorization Bypass via Subscription ID

Vulnerability report for CVE-2026-5069, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: Wordfence

Description

The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscription_id' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit cancellation requests for other users' subscriptions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpfluent fluent_forms to 6.2.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Fluent Forms plugin for WordPress has a vulnerability related to incorrect authorization involving the 'subscription_id' parameter. In versions up to and including 6.2.1, the plugin does not properly verify ownership during the payment cancellation process via AJAX. This flaw allows authenticated users with subscriber-level access or higher to cancel subscriptions that belong to other users.

Impact Analysis

This vulnerability can allow an attacker with subscriber-level access or above to cancel other users' subscriptions without their permission. This could lead to unauthorized disruption of services or payments for legitimate users, potentially causing financial loss or service interruptions.

Compliance Impact

The vulnerability in the Fluent Forms plugin allows authenticated users with subscriber-level access to cancel other users' subscriptions due to insufficient authorization checks. This unauthorized action could potentially lead to improper handling of user data and subscription management.

Such unauthorized access and manipulation of user subscriptions may impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over user data access and integrity. However, the provided information does not explicitly detail the compliance impact.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5069. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart