Overview
CVE-2025-13748 identifies a security vulnerability within the Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress. Specifically, it’s an Insecure Direct Object Reference (IDOR) flaw that allows unauthenticated attackers to potentially mark arbitrary form submissions as failed. This affects versions up to and including 6.1.7 of the Fluent Forms plugin.
Technical Details
The vulnerability resides within the confirmScaPayment() function of the plugin. Due to missing validation on the submission_id parameter, an attacker can manipulate this parameter and send crafted requests to the affected endpoint. The lack of proper authorization checks means that the attacker can potentially influence the status of form submissions, even without being authenticated or authorized to do so.
The core issue is the absence of validation to confirm the user has the right to interact with the submission whose ID is provided. The attacker needs to only guess or enumerate valid submission IDs to exploit the vulnerability successfully.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13748 is 5.3 (MEDIUM).
This score reflects the following characteristics:
- Attack Vector: Network (AV:N)
- Attack Complexity: Low (AC:L)
- Privileges Required: None (PR:N)
- User Interaction: None (UI:N)
- Scope: Unchanged (S:U)
- Confidentiality Impact: None (C:N)
- Integrity Impact: Low (I:L)
- Availability Impact: None (A:N)
While the confidentiality and availability impact are none, the low integrity impact allows an attacker to manipulate the status of form submissions which can cause confusion and operational problems for the site owner.
Possible Impact
Successful exploitation of this vulnerability could lead to the following:
- Marking legitimate submissions as failed: Attackers can manipulate the status of form submissions, potentially disrupting workflows and causing data integrity issues.
- Operational Disruption: Falsely marking submissions as failed can disrupt business processes relying on form data, such as lead generation or order processing.
- Data Skewing: Inaccurate submission statuses can skew reports and analytics derived from form data.
Mitigation or Patch Steps
The vulnerability has been addressed in Fluent Forms version 6.1.8. It is highly recommended that all users of the Fluent Forms plugin update to the latest version as soon as possible.
To update the plugin:
- Log in to your WordPress admin dashboard.
- Navigate to “Plugins” > “Installed Plugins”.
- Locate the “Fluent Forms” plugin.
- Click the “Update Now” button (if an update is available).
If auto-updates are enabled, ensure that the plugin is updated automatically.
References
WordPress Plugins Trac Changeset – Fluent Forms 6.1.8
Wordfence Threat Intelligence Report – CVE-2025-13748