{"api_version":"1","generated_at":"2026-07-12T20:33:59+00:00","cve":"CVE-2026-5069","urls":{"html":"https://cve.report/CVE-2026-5069","api":"https://cve.report/api/cve/CVE-2026-5069.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-5069","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-5069"},"summary":{"title":"Fluent Forms <= 6.2.1 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Subscription Cancellation via 'subscription_id'","description":"The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscription_id' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit cancellation requests for other users' subscriptions.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2026-07-10 04:17:52","updated_at":"2026-07-10 19:17:27"},"problem_types":["CWE-863","CWE-863 CWE-863 Incorrect Authorization"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"5.4","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"5.4","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","data":{"baseScore":5.4,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","version":"3.1"}}],"references":[{"url":"https://plugins.trac.wordpress.org/changeset/3513845/fluentform","name":"https://plugins.trac.wordpress.org/changeset/3513845/fluentform","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/e7521577-ce13-4b60-ae11-9c0f9c077cf9?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/e7521577-ce13-4b60-ae11-9c0f9c077cf9?source=cve","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-5069","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-5069","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"wpmanageninja","product":"Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder","version":"affected 6.2.1 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-03-27T23:09:08.000Z","lang":"en","value":"Vendor Notified"},{"source":"CNA","time":"2026-07-09T13:51:54.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Fernando Mecozzi","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"5069","cve":"CVE-2026-5069","epss":"0.001760000","percentile":"0.073220000","score_date":"2026-07-11","updated_at":"2026-07-12 00:00:50"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-5069","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-10T18:02:33.208787Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-10T18:02:38.866Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder","vendor":"wpmanageninja","versions":[{"lessThanOrEqual":"6.2.1","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Fernando Mecozzi"}],"descriptions":[{"lang":"en","value":"The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscription_id' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit cancellation requests for other users' subscriptions."}],"metrics":[{"cvssV3_1":{"baseScore":5.4,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-863","description":"CWE-863 Incorrect Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-10T02:30:39.977Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/e7521577-ce13-4b60-ae11-9c0f9c077cf9?source=cve"},{"url":"https://plugins.trac.wordpress.org/changeset/3513845/fluentform"}],"timeline":[{"lang":"en","time":"2026-03-27T23:09:08.000Z","value":"Vendor Notified"},{"lang":"en","time":"2026-07-09T13:51:54.000Z","value":"Disclosed"}],"title":"Fluent Forms <= 6.2.1 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Subscription Cancellation via 'subscription_id'"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2026-5069","datePublished":"2026-07-10T02:30:39.977Z","dateReserved":"2026-03-27T22:53:28.217Z","dateUpdated":"2026-07-10T18:02:38.866Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-10 04:17:52","lastModifiedDate":"2026-07-10 19:17:27","problem_types":["CWE-863","CWE-863 CWE-863 Incorrect Authorization"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":2.5}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-10T18:02:33.208787Z","id":"CVE-2026-5069","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"5069","Ordinal":"1","Title":"Fluent Forms <= 6.2.1 - Incorrect Authorization to Authenticated","CVE":"CVE-2026-5069","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"5069","Ordinal":"1","NoteData":"The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscription_id' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit cancellation requests for other users' subscriptions.","Type":"Description","Title":"Fluent Forms <= 6.2.1 - Incorrect Authorization to Authenticated"}]}}}