Skip to main content

WP Full Stripe Free CVE-2026-12432

| EUVDEUVD-2026-39957 MEDIUM
Missing Authorization (CWE-862)
2026-06-27 Wordfence GHSA-26qv-fwp4-4p47
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable unauthenticated AJAX endpoint; low complexity since Payment Intent IDs are routinely exposed to browsers; integrity-only impact limited to payment record manipulation.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 27, 2026 - 07:53 vuln.today
CVE Published
Jun 27, 2026 - 06:50 cve.org
MEDIUM 5.3

DescriptionCVE.org

The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is registered through both wp_ajax_ and wp_ajax_nopriv_ hooks and the underlying update_failed_payment_status() function performs no capability check, no nonce verification, and no logged-in check before calling $this->db->updatePaymentByEventId() with attacker-controlled POST parameters. This makes it possible for unauthenticated attackers who can obtain a valid Stripe Payment Intent ID for the target site (Payment Intent IDs are exposed to the customer browser during normal Stripe.js checkout flows) to manipulate payment records in the site's database, marking previously successful payments as failed and overwriting failure codes and messages with attacker-supplied values.

AnalysisAI

Payment record manipulation in the WP Full Stripe Free WordPress plugin (versions ≤ 8.4.3) allows unauthenticated remote attackers to overwrite payment status in the site database. The vulnerability stems from the wpfs_update_failed_payment_status AJAX handler being registered under both wp_ajax_ and wp_ajax_nopriv_ hooks with zero authorization controls - no capability check, no nonce, no session validation - enabling any caller to invoke it. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Initiate checkout on target WP site
Delivery
Capture Stripe Payment Intent ID from browser
Exploit
Craft POST to admin-ajax.php with action=wpfs_update_failed_payment_status
Execution
Pass Payment Intent ID and forged failure codes
Persist
Database record updated: successful payment marked failed
Impact
Merchant order fulfillment blocked or reversed

Vulnerability AssessmentAI

Exploitation The attacker must possess a valid Stripe Payment Intent ID scoped to the target WordPress site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker visits the target WordPress e-commerce site and initiates a checkout, intentionally allowing Stripe.js to generate a Payment Intent ID that appears in browser network traffic or JavaScript state. The attacker then aborts the purchase and sends a crafted POST request to https://target.example.com/wp-admin/admin-ajax.php with action=wpfs_update_failed_payment_status, the harvested Payment Intent ID, and attacker-supplied failure codes. …
Remediation Upstream fix available via WordPress plugin SVN changeset 3584355 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3584355%40wp-full-stripe-free&new=3584355%40wp-full-stripe-free); a specific released patched version number is not independently confirmed from the available data - verify the latest version in the WordPress plugin directory and update immediately beyond 8.4.3. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12432 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy