Description
The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. This makes it possible for unauthenticated attackers to submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent, resulting in underpayment/payment bypass conditions.
Published: 2026-05-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Forminator plugin for WordPress has a flaw that allows an attacker lacking authentication to submit completed forms by reusing a previously successful low‑value Stripe PaymentIntent. Because the plugin does not confirm that the user is allowed to perform the payment action, the attacker can supply a valid PaymentIntent identifier in the public payment flow and receive the high‑value form payment without having to complete the original high‑value transaction. This bypass enables underpayment or complete payment evasion, undermining the financial integrity of the site.

Affected Systems

The vulnerability affects the Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin from wpmudev. All versions up to and including 1.52.0 are impacted; later releases have addressed the authorization check. Any WordPress site that relies on the plugin for processing Stripe payments before version 1.52.0 is at risk.

Risk and Exploitability

With a CVSS score of 5.3 the CVE represents moderate severity, and the EPSS score is not reported. The issue is not currently listed in CISA KEV. The primary attack vector is likely the public payment submission endpoint, where an unauthenticated user can craft an HTTP request that includes a previously succeeded Stripe PaymentIntent identifier. An attacker only needs to know or guess a valid PaymentIntent ID; no privileged credentials are required. Once the request is accepted, the payment workflow processes it as a completed transaction, effectively bypassing the intended authorization.

Generated by OpenCVE AI on May 5, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Forminator plugin to a release newer than 1.52.0.
  • Disable or restrict the reuse of Stripe PaymentIntent identifiers in the public payment flow to enforce unique identifiers per transaction.
  • Audit recent form completions for underpayment occurrences and revoke or adjust orders as necessary.

Generated by OpenCVE AI on May 5, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpmudev
Wpmudev forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vendors & Products Wordpress
Wordpress wordpress
Wpmudev
Wpmudev forminator Forms – Contact Form, Payment Form & Custom Form Builder

Tue, 05 May 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. This makes it possible for unauthenticated attackers to submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent, resulting in underpayment/payment bypass conditions.
Title Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.52.0 - Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass via 'paymentid' Parameter
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpmudev Forminator Forms – Contact Form, Payment Form & Custom Form Builder
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-05T14:13:01.575Z

Reserved: 2026-02-19T02:39:56.765Z

Link: CVE-2026-2729

cve-icon Vulnrichment

Updated: 2026-05-05T13:48:37.220Z

cve-icon NVD

Status : Deferred

Published: 2026-05-05T07:15:59.960

Modified: 2026-05-05T19:08:20.090

Link: CVE-2026-2729

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T09:15:20Z

Weaknesses