CVE-2026-4160

Name of the Vulnerable Software and Affected Versions Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder versions prior to 6.1.22

Description An Insecure Direct Object Reference (IDOR) exists due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This allows unauthenticated attackers to modify the payment status of targeted pending submissions, such as changing the status to "failed", by manipulating the submission id parameter.

Recommendations Update the plugin to a version newer than 6.1.21. Avoid using the submission id parameter in the Stripe SCA confirmation AJAX endpoint until the update is applied.