Order Replay Vulnerability in Forminator Forms Plugin by WordPress
CVE-2025-3479

5.3MEDIUM

Key Information:

Vendor
WordPress
Status
Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vendor
CVE Published:
17 April 2025

Summary

The Forminator Forms plugin for WordPress suffers from an Order Replay vulnerability affecting versions up to 1.42.0. This flaw arises in the 'handle_stripe_single' function, where insufficient validation on user-controlled input allows unauthenticated attackers to exploit a single Stripe PaymentIntent for multiple transactions. Although only the initial transaction is processed successfully through Stripe, the plugin incorrectly sends confirmation emails for each attempt, potentially misleading administrators into processing orders that were not genuinely completed.

Affected Version(s)

Forminator Forms – Contact Form, Payment Form & Custom Form Builder * <= 1.42.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/forminator/tag...
https://plugins.trac.wordpress.org/changeset/3274844/

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Asaf Mozes
.
CVE-2025-3479 : Order Replay Vulnerability in Forminator Forms Plugin by WordPress | SecurityVulnerability.io