CVE-2026-12432 - Vulnerability Details

Description

The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is registered through both wp_ajax_ and wp_ajax_nopriv_ hooks and the underlying update_failed_payment_status() function performs no capability check, no nonce verification, and no logged-in check before calling $this->db->updatePaymentByEventId() with attacker-controlled POST parameters. This makes it possible for unauthenticated attackers who can obtain a valid Stripe Payment Intent ID for the target site (Payment Intent IDs are exposed to the customer browser during normal Stripe.js checkout flows) to manipulate payment records in the site's database, marking previously successful payments as failed and overwriting failure codes and messages with attacker-supplied values.

Published: 2026-06-27

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

WP Full Stripe Free is vulnerable because the wpfs_update_failed_payment_status AJAX handler performs no capability check, nonce verification, or logged‑in check. An unauthenticated attacker who knows a valid Stripe Payment Intent ID, which is exposed to the customer browser during checkout, can send a POST request to the endpoint, causing the plugin to mark a successful payment as failed and overwrite failure codes and messages with attacker‑supplied values. This results in unauthorized alteration of payment record integrity and can disrupt financial reporting or allow fraudulent behavior.

Affected Systems

The issue affects the WordPress plugin "Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions" from themeisle, in all versions up to and including 8.4.3.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate impact. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an unauthenticated POST to the wpfs_update_failed_payment_status endpoint and a valid Payment Intent ID, which attackers can obtain from the browser. Because the endpoint is publicly accessible, exploitation is possible in a production environment unless mitigations are applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

themeisle

Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions

unaffected

Version	Status	Constraints
`0`	affected	≤ 8.4.3

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the WP Full Stripe Free plugin to the latest available version (e.g., 8.4.4 or newer).
If an update is not feasible, remove the wp_ajax_nopriv_ hook for wpfs_update_failed_payment_status to disallow unauthenticated access.
Add a capability check and nonce validation to the wpfs_update_failed_payment_status handler to enforce authentication and integrity.
Monitor incoming POST requests to wpfs_update_failed_payment_status for anomalous activity.

Generated by OpenCVE AI on June 27, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-customer.php#L3840
https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-customer.php#L3865
https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-customer.php#L706
https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-database.php#L2652
https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php#L3840
https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php#L3865
https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php#L706
https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-database.php#L2652
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3584355%40wp-full-stripe-free&new=3584355%40wp-full-stripe-free&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/c5811d13-0c5d-4a10-86a1-6318cc2e7663?source=cve

History

Sat, 27 Jun 2026 07:30:00 +0000

Type	Values Removed	Values Added
Description		The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is registered through both wp_ajax_ and wp_ajax_nopriv_ hooks and the underlying update_failed_payment_status() function performs no capability check, no nonce verification, and no logged-in check before calling $this->db->updatePaymentByEventId() with attacker-controlled POST parameters. This makes it possible for unauthenticated attackers who can obtain a valid Stripe Payment Intent ID for the target site (Payment Intent IDs are exposed to the customer browser during normal Stripe.js checkout flows) to manipulate payment records in the site's database, marking previously successful payments as failed and overwriting failure codes and messages with attacker-supplied values.
Title		Stripe Payment Forms by WP Full Pay <= 8.4.3 - Missing Authorization to Unauthenticated Payment Record Manipulation via 'paymentIntentId' Parameter
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-customer.php#L3840 https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-customer.php#L3865 https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-customer.php#L706 https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-database.php#L2652 https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php#L3840 https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php#L3865 https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php#L706 https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-database.php#L2652 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3584355%40wp-full-stripe-free&new=3584355%40wp-full-stripe-free&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/c5811d13-0c5d-4a10-86a1-6318cc2e7663?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-27T06:50:59.039Z

Updated: 2026-06-27T06:50:59.039Z

Reserved: 2026-06-16T18:12:09.808Z

Link: CVE-2026-12432

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-27T08:30:07Z

Weaknesses

CWE-862
Missing Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object