Description
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 1.42.0 via the 'handle_stripe_single' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.
Published: 2025-04-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Duplicate Payment Notification & Admin Confusion
Action: Patch
AI Analysis

Impact

The vulnerability lies in the Forminator "handle_stripe_single" function, which fails to properly validate a user‑controlled key and allows the same Stripe PaymentIntent to be replayed multiple times. The first replay triggers a genuine transaction with Stripe, but subsequent replays are treated as successful and trigger the plugin’s normal success‐email workflow. As a result, administrators may receive several email confirmations for a single transaction, potentially leading to the fulfillment of duplicate orders, confusion, and financial loss. The flaw is identified as CWE‑354, reflecting inadequate input validation that permits unintended reuse of data.

Affected Systems

Vulnerable vendor: WPMUDEV Forminator Forms – Contact Form, Payment Form & Custom Form Builder. All versions up to and including 1.42.0 are impacted; newer releases are unaffected.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity. Because the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, the probability of real‑world exploitation is very low at present. Nonetheless, an attacker with knowledge of a PaymentIntent ID can unauthenticatedly craft requests to the public WordPress site’s form endpoint and replay that intent, causing false order notifications to be sent. The attack does not modify the payment itself but exploits the plugin’s email logic to mislead administrators.

Generated by OpenCVE AI on April 20, 2026 at 23:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Forminator to version 1.43 or later to apply the vendor fix.
  • If an upgrade is not immediately feasible, temporarily disable all Forminator forms on the WordPress site to eliminate the attack surface.
  • As a temporary workaround, add server‑side checks to verify that a PaymentIntent has not already triggered a success email before sending notification emails.

Generated by OpenCVE AI on April 20, 2026 at 23:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11504 The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 1.42.0 via the 'handle_stripe_single' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.
History

Wed, 28 May 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Wpmudev
Wpmudev forminator Forms
CPEs cpe:2.3:a:wpmudev:forminator_forms:*:*:*:*:free:wordpress:*:*
Vendors & Products Wpmudev
Wpmudev forminator Forms

Thu, 17 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 1.42.0 via the 'handle_stripe_single' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.
Title Forminator <= 1.42.0 - Order Replay Vulnerability
Weaknesses CWE-354
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wpmudev Forminator Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:34.121Z

Reserved: 2025-04-09T19:48:06.225Z

Link: CVE-2025-3479

cve-icon Vulnrichment

Updated: 2025-04-17T13:39:34.562Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-17T12:15:15.633

Modified: 2025-05-28T17:54:30.707

Link: CVE-2025-3479

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:15:06Z

Weaknesses