🔐 CVE Alert

CVE-2026-12432

MEDIUM 5.3

Stripe Payment Forms by WP Full Pay <= 8.4.3 - Missing Authorization to Unauthenticated Payment Record Manipulation via 'paymentIntentId' Parameter

CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th

The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is registered through both wp_ajax_ and wp_ajax_nopriv_ hooks and the underlying update_failed_payment_status() function performs no capability check, no nonce verification, and no logged-in check before calling $this->db->updatePaymentByEventId() with attacker-controlled POST parameters. This makes it possible for unauthenticated attackers who can obtain a valid Stripe Payment Intent ID for the target site (Payment Intent IDs are exposed to the customer browser during normal Stripe.js checkout flows) to manipulate payment records in the site's database, marking previously successful payments as failed and overwriting failure codes and messages with attacker-supplied values.

CWE CWE-862
Vendor themeisle
Product stripe payment forms by wp full pay – accept credit card payments, donations & subscriptions
Published Jun 27, 2026
Stay Ahead of the Next One

Get instant alerts for themeisle stripe payment forms by wp full pay – accept credit card payments, donations & subscriptions

Be the first to know when new medium vulnerabilities affecting themeisle stripe payment forms by wp full pay – accept credit card payments, donations & subscriptions are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

themeisle / Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions
0 ≤ 8.4.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/c5811d13-0c5d-4a10-86a1-6318cc2e7663?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php#L3865 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php#L706 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php#L3840 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-database.php#L2652 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-customer.php#L3865 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-customer.php#L706 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-customer.php#L3840 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-database.php#L2652 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3584355%40wp-full-stripe-free&new=3584355%40wp-full-stripe-free&sfp_email=&sfph_mail=

Credits

Netwurm