Order Replay Vulnerability in Forminator Forms Plugin by WordPress
CVE-2025-3479
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 17 April 2025
What is CVE-2025-3479?
The Forminator Forms plugin for WordPress suffers from an Order Replay vulnerability affecting versions up to 1.42.0. This flaw arises in the 'handle_stripe_single' function, where insufficient validation on user-controlled input allows unauthenticated attackers to exploit a single Stripe PaymentIntent for multiple transactions. Although only the initial transaction is processed successfully through Stripe, the plugin incorrectly sends confirmation emails for each attempt, potentially misleading administrators into processing orders that were not genuinely completed.
Affected Version(s)
Forminator Forms – Contact Form, Payment Form & Custom Form Builder * <= 1.42.0