CVE-2026-5069: CWE-863 Incorrect Authorization in wpmanageninja Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
The Fluent Forms plugin for WordPress up to version 6.2.1 contains an incorrect authorization vulnerability in its payment cancellation AJAX flow. Authenticated users with subscriber-level access or higher can exploit insufficient ownership checks on the 'subscription_id' parameter to cancel other users' subscriptions. This vulnerability has a medium severity rating and a CVSS score of 5.4.
AI Analysis
Technical Summary
CVE-2026-5069 describes an incorrect authorization vulnerability (CWE-863) in the Fluent Forms WordPress plugin by wpmanageninja. The flaw exists in the payment cancellation AJAX endpoint where the 'subscription_id' parameter is not properly verified for ownership. As a result, authenticated users with subscriber-level privileges or above can submit cancellation requests affecting subscriptions they do not own. This could lead to unauthorized subscription cancellations. The vulnerability affects versions up to and including 6.2.1. No official patch or remediation level has been provided as of the publication date.
Potential Impact
The vulnerability allows authenticated users with subscriber-level or higher privileges to cancel subscriptions belonging to other users without proper authorization. This can disrupt subscription services and cause denial of service to legitimate subscribers. There is no indication of confidentiality or data disclosure impact, but integrity and availability of subscription management are affected.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict subscriber-level access where possible and monitor for suspicious subscription cancellation activity. Avoid granting unnecessary privileges to users. Follow vendor updates closely for an official patch or temporary mitigation.
CVE-2026-5069: CWE-863 Incorrect Authorization in wpmanageninja Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Description
The Fluent Forms plugin for WordPress up to version 6.2.1 contains an incorrect authorization vulnerability in its payment cancellation AJAX flow. Authenticated users with subscriber-level access or higher can exploit insufficient ownership checks on the 'subscription_id' parameter to cancel other users' subscriptions. This vulnerability has a medium severity rating and a CVSS score of 5.4.
CVSS v3.1
Score 5.4medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-5069 describes an incorrect authorization vulnerability (CWE-863) in the Fluent Forms WordPress plugin by wpmanageninja. The flaw exists in the payment cancellation AJAX endpoint where the 'subscription_id' parameter is not properly verified for ownership. As a result, authenticated users with subscriber-level privileges or above can submit cancellation requests affecting subscriptions they do not own. This could lead to unauthorized subscription cancellations. The vulnerability affects versions up to and including 6.2.1. No official patch or remediation level has been provided as of the publication date.
Potential Impact
The vulnerability allows authenticated users with subscriber-level or higher privileges to cancel subscriptions belonging to other users without proper authorization. This can disrupt subscription services and cause denial of service to legitimate subscribers. There is no indication of confidentiality or data disclosure impact, but integrity and availability of subscription management are affected.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict subscriber-level access where possible and monitor for suspicious subscription cancellation activity. Avoid granting unnecessary privileges to users. Follow vendor updates closely for an official patch or temporary mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-27T22:53:28.217Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a506b8368715ace43e9d782
Added to database: 07/10/2026, 03:48:19 UTC
Last enriched: 07/10/2026, 04:02:49 UTC
Last updated: 07/10/2026, 04:43:24 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.