CVE-2026-5069
Fluent Forms <= 6.2.1 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Subscription Cancellation via 'subscription_id'
CVSS Score
5.4
EPSS Score
0.2%
EPSS Percentile
7th
The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscription_id' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit cancellation requests for other users' subscriptions.
| CWE | CWE-863 |
| Vendor | wpmanageninja |
| Product | fluent forms – customizable contact forms, survey, quiz, & conversational form builder |
| Published | Jul 10, 2026 |
| Last Updated | Jul 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for wpmanageninja fluent forms – customizable contact forms, survey, quiz, & conversational form builder
Be the first to know when new medium vulnerabilities affecting wpmanageninja fluent forms – customizable contact forms, survey, quiz, & conversational form builder are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
wpmanageninja / Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
0 ≤ 6.2.1
References
Credits
Fernando Mecozzi