Skip to main content

Stripe Payment Forms By Wp Full Pay Accept Credit Card Payments Donations Subscriptions

1 CVEs product

Monthly

CVE-2026-12432 MEDIUM This Month

Payment record manipulation in the WP Full Stripe Free WordPress plugin (versions ≤ 8.4.3) allows unauthenticated remote attackers to overwrite payment status in the site database. The vulnerability stems from the wpfs_update_failed_payment_status AJAX handler being registered under both wp_ajax_ and wp_ajax_nopriv_ hooks with zero authorization controls - no capability check, no nonce, no session validation - enabling any caller to invoke it. An attacker who has legitimately initiated a checkout on the target site (and thereby obtained a Stripe Payment Intent ID from the browser-visible Stripe.js flow) can send a crafted POST request to mark a previously successful payment as failed, potentially blocking order fulfillment, triggering disputes, or corrupting financial records. No public exploit code has been identified at the time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Stripe Payment Forms By Wp Full Pay Accept Credit Card Payments Donations Subscriptions
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
EPSS 0% CVSS 5.3
MEDIUM This Month

Payment record manipulation in the WP Full Stripe Free WordPress plugin (versions ≤ 8.4.3) allows unauthenticated remote attackers to overwrite payment status in the site database. The vulnerability stems from the wpfs_update_failed_payment_status AJAX handler being registered under both wp_ajax_ and wp_ajax_nopriv_ hooks with zero authorization controls - no capability check, no nonce, no session validation - enabling any caller to invoke it. An attacker who has legitimately initiated a checkout on the target site (and thereby obtained a Stripe Payment Intent ID from the browser-visible Stripe.js flow) can send a crafted POST request to mark a previously successful payment as failed, potentially blocking order fulfillment, triggering disputes, or corrupting financial records. No public exploit code has been identified at the time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Stripe Payment Forms By Wp Full Pay Accept Credit Card Payments Donations Subscriptions
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy