Modern WordPress sites frequently rely on third-party plugins to handle payments, orders, and other business-critical workflows. When these plugins process financial data, even small security oversights can have outsized operational impact. In early 2025, I identified and responsibly disclosed a payment integrity vulnerability in the popular Fluent Forms plugin that demonstrates exactly how this can happen.
The issue, assigned CVE-2025-13748, affects Fluent Forms versions ≤ 6.1.7 and exists in a Stripe-related AJAX endpoint. While the vulnerability does not allow attackers to steal funds or interact with Stripe directly, it enables unauthenticated attackers to manipulate internal payment states stored within WordPress. Specifically, legitimate payments marked as paid can be silently changed to failed—without authentication, authorization, or any user interaction.
With over 600,000 active installations and more than 13 million downloads, Fluent Forms is widely deployed across production environments. For site owners, administrators, and developers who rely on payment status to drive order fulfillment and business decisions, this type of integrity flaw can lead to confusion, operational disruption, and loss of trust in backend systems.
This blog post provides a high-level overview of the vulnerability, explains why it matters from both security and operational perspectives, and highlights key lessons for WordPress plugin developers and security practitioners. The issue has been patched in Fluent Forms version 6.1.8, and all users are strongly encouraged to update.
Vulnerability Overview
The issue exists in a publicly accessible WordPress AJAX endpoint used by Fluent Forms to handle Stripe SCA payment confirmations:
/wp-admin/admin-ajax.php?action=fluentform_sca_inline_confirm_payment
In Fluent Forms versions ≤ 6.1.7, this endpoint is exposed to unauthenticated users and processes state-changing requests without enforcing authentication, nonce validation, or capability checks. The handler accepts user-controlled parameters such as submission_id, which directly reference backend payment records.
Because submission_id values are simple incremental integers, an attacker can guess or enumerate valid IDs and invoke the payment-handling logic for submissions they do not own. By repeatedly sending requests that push the handler into an error path, the plugin updates the matching record and sets its internal payment_status to failed.
This makes the issue particularly disruptive at scale: a malicious actor could automate requests across a range of submission IDs (e.g., 1..N) and cause large numbers of legitimate paid invoices/orders to appear as failed inside the WordPress admin panel.
At a high level, a request of the following form is sufficient to trigger the behavior:
POST /wp-admin/admin-ajax.php
action=fluentform_sca_inline_confirm_payment
&submission_id=<numeric_id>
&payment_intent_id=<arbitrary_value>
&payment_method=<arbitrary_value>
This behavior represents an unauthenticated Insecure Direct Object Reference (IDOR), where internal payment state is modified solely based on a predictable identifier, without verifying the legitimacy of the request or its association with an actual Stripe transaction.
Disclosure Timeline
- November 18, 2025 — I reported the vulnerability to Wordfence Intelligence.
- Validated — The Wordfence Intelligence team reviewed and validated the report.
- Patched — The issue was patched in Fluent Forms 6.1.8.
- December 5, 2025 — After the patch was released, Wordfence Intelligence published CVE-2025-13748.
If you are running Fluent Forms ≤ 6.1.7, update to 6.1.8 or later.
