Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-reachable unauthenticated AJAX endpoint; low complexity since Payment Intent IDs are routinely exposed to browsers; integrity-only impact limited to payment record manipulation.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is registered through both wp_ajax_ and wp_ajax_nopriv_ hooks and the underlying update_failed_payment_status() function performs no capability check, no nonce verification, and no logged-in check before calling $this->db->updatePaymentByEventId() with attacker-controlled POST parameters. This makes it possible for unauthenticated attackers who can obtain a valid Stripe Payment Intent ID for the target site (Payment Intent IDs are exposed to the customer browser during normal Stripe.js checkout flows) to manipulate payment records in the site's database, marking previously successful payments as failed and overwriting failure codes and messages with attacker-supplied values.
AnalysisAI
Payment record manipulation in the WP Full Stripe Free WordPress plugin (versions ≤ 8.4.3) allows unauthenticated remote attackers to overwrite payment status in the site database. The vulnerability stems from the wpfs_update_failed_payment_status AJAX handler being registered under both wp_ajax_ and wp_ajax_nopriv_ hooks with zero authorization controls - no capability check, no nonce, no session validation - enabling any caller to invoke it. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must possess a valid Stripe Payment Intent ID scoped to the target WordPress site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker visits the target WordPress e-commerce site and initiates a checkout, intentionally allowing Stripe.js to generate a Payment Intent ID that appears in browser network traffic or JavaScript state. The attacker then aborts the purchase and sends a crafted POST request to https://target.example.com/wp-admin/admin-ajax.php with action=wpfs_update_failed_payment_status, the harvested Payment Intent ID, and attacker-supplied failure codes. … |
| Remediation | Upstream fix available via WordPress plugin SVN changeset 3584355 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3584355%40wp-full-stripe-free&new=3584355%40wp-full-stripe-free); a specific released patched version number is not independently confirmed from the available data - verify the latest version in the WordPress plugin directory and update immediately beyond 8.4.3. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39957
GHSA-26qv-fwp4-4p47