What the vulnerability does
01Description
The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. This makes it possible for unauthenticated attackers to submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent, resulting in underpayment/payment bypass conditions.
Explanation of Vulnerability in Simple Terms
02Summary
Forminator Forms versions up to 1.52.0 contain an integrity vulnerability allowing unauthenticated attackers to modify data via the network. The vulnerability requires no user interaction and affects the plugin's core functionality. Site administrators should update to a version newer than 1.52.0 to remediate the issue.
What an attacker can do
03Attacker Capabilities
Modify form data or settings without authentication.
Potential impact on your site
04Site Impact
Form submissions or configurations could be altered by unauthorized parties.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 5, 2026
CVE published
May 5, 2026
Record updated