← Back
2026-05-05 6:43CVE-2026-2729Wordfence
PUBLISHED5.2CWE-639

Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.52.0 - Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass via 'paymentid' Parameter

The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. This makes it possible for unauthenticated attackers to submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent, resulting in underpayment/payment bypass conditions.

Problem type

Affected products

wpmudev

Forminator Forms – Contact Form, Payment Form & Custom Form Builder

<= 1.52.0 - AFFECTED

References

wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/1afb94ab-b3ba-4598-8ff4-f9ffc6717371?source=cve

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/changeset/3500669/forminator

GitHub Security Advisories

GHSA-xf3j-2pwf-m9rm

The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to,...

https://github.com/advisories/GHSA-xf3j-2pwf-m9rm

The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. This makes it possible for unauthenticated attackers to submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent, resulting in underpayment/payment bypass conditions.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-2729

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/changeset/3500669/forminator

wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/1afb94ab-b3ba-4598-8ff4-f9ffc6717371?source=cve

github.com

https://github.com/advisories/GHSA-xf3j-2pwf-m9rm

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-2729
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-2729",
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "dateUpdated": "2026-05-05T06:43:30.131Z",
    "dateReserved": "2026-02-19T02:39:56.765Z",
    "datePublished": "2026-05-05T06:43:30.131Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence",
        "dateUpdated": "2026-05-05T06:43:30.131Z"
      },
      "title": "Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.52.0 - Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass via 'paymentid' Parameter",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. This makes it possible for unauthenticated attackers to submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent, resulting in underpayment/payment bypass conditions."
        }
      ],
      "affected": [
        {
          "vendor": "wpmudev",
          "product": "Forminator Forms – Contact Form, Payment Form & Custom Form Builder",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "1.52.0"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "cweId": "CWE-639",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1afb94ab-b3ba-4598-8ff4-f9ffc6717371?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3500669/forminator"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "timeline": [
        {
          "time": "2026-02-19T03:05:04.000Z",
          "lang": "en",
          "value": "Vendor Notified"
        },
        {
          "time": "2026-05-04T17:34:23.000Z",
          "lang": "en",
          "value": "Disclosed"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Kittipat Jitphonchana",
          "type": "finder"
        }
      ]
    }
  }
}