CVE-2025-13748

Name of the Vulnerable Software and Affected Versions Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress versions up to and including 6.1.7

Description The Fluent Forms plugin is susceptible to an Insecure Direct Object Reference issue. This occurs due to a lack of validation on a user-controlled key, specifically the submission id parameter, within the confirmScaPayment() function. Unauthenticated attackers can exploit this to mark arbitrary submissions as failed by sending specially crafted requests to the API endpoint, provided they can determine a valid submission identifier.

Recommendations Update Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress to a version later than 6.1.7.