CVE-2025-13748: CWE-639 Authorization Bypass Through User-Controlled Key in techjewel Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submission_id' parameter due to missing validation on a user controlled key within the confirmScaPayment() function. This makes it possible for unauthenticated attackers to mark arbitrary submissions as failed via crafted requests to the endpoint granted they can guess or enumerate a valid submission identifier.
CVE-2025-13748: CWE-639 Authorization Bypass Through User-Controlled Key in techjewel Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Description
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submission_id' parameter due to missing validation on a user controlled key within the confirmScaPayment() function. This makes it possible for unauthenticated attackers to mark arbitrary submissions as failed via crafted requests to the endpoint granted they can guess or enumerate a valid submission identifier.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-11-26T15:56:07.294Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6933d18711163305effc5a0e
Added to database: 12/6/2025, 6:47:35 AM
Last updated: 12/6/2025, 6:47:48 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-13377: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in 10web 10Web Booster – Website speed optimization, Cache & Page Speed optimizer
CriticalCVE-2025-13907: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tunilame CSS3 Buttons
MediumCVE-2025-13899: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pntrinh TR Timthumb
MediumCVE-2025-13898: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in sozan45 Ultra Skype Button
MediumCVE-2025-13896: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpdiscover Social Feed Gallery Portfolio
MediumActions
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.