🔐 CVE Alert

CVE-2026-5069

MEDIUM 5.4

Fluent Forms <= 6.2.1 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Subscription Cancellation via 'subscription_id'

CVSS Score
5.4
EPSS Score
0.2%
EPSS Percentile
7th

The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscription_id' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit cancellation requests for other users' subscriptions.

CWE CWE-863
Vendor wpmanageninja
Product fluent forms – customizable contact forms, survey, quiz, & conversational form builder
Published Jul 10, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for wpmanageninja fluent forms – customizable contact forms, survey, quiz, & conversational form builder

Be the first to know when new medium vulnerabilities affecting wpmanageninja fluent forms – customizable contact forms, survey, quiz, & conversational form builder are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

wpmanageninja / Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
0 ≤ 6.2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/e7521577-ce13-4b60-ae11-9c0f9c077cf9?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3513845/fluentform

Credits

Fernando Mecozzi