CVE-2026-12432 MEDIUM

CVE-2026-12432: Stripe Payment Forms by WP Full Pay <= 8.4.3 - Missing Authorization to Unauthenticated Payment Record Manipulation via 'paymentIntentId' Parameter

Vendor Themeisle
Product Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions
Weakness CWE-862 · Missing authorization
Published June 27, 2026
Last update June 29, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is registered through both wp_ajax_ and wp_ajax_nopriv_ hooks and the underlying update_failed_payment_status() function performs no capability check, no nonce verification, and no logged-in check before calling $this->db->updatePaymentByEventId() with attacker-controlled POST parameters. This makes it possible for unauthenticated attackers who can obtain a valid Stripe Payment Intent ID for the target site (Payment Intent IDs are exposed to the customer browser during normal Stripe.js checkout flows) to manipulate payment records in the site's database, marking previously successful payments as failed and overwriting failure codes and messages with attacker-supplied values.

Explanation of Vulnerability in Simple Terms

02Summary

The Stripe Payment Forms plugin for WordPress is missing authorization checks on certain operations. An attacker without authentication can modify data through the plugin's functionality. The vulnerability affects versions up to 8.4.3. Site owners should update to a version newer than 8.4.3 to remediate this issue.

What an attacker can do

03Attacker Capabilities

Modify plugin data or settings without needing to log in to the site.

Potential impact on your site

04Site Impact

Attackers can alter payment form configurations, potentially affecting transactions or customer data.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

June 27, 2026 CVE published
June 29, 2026 Record updated