Authentication Bypass in WP Full Stripe Free Plugin for WordPress
CVE-2026-12432

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Stripe Payment Forms By WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions
Vendor: CVE Published:; 27 June 2026

What is CVE-2026-12432?

The WP Full Stripe Free plugin for WordPress is affected by a Missing Authorization vulnerability that allows unauthenticated attackers to manipulate payment records in the database. This vulnerability is due to the wpfs_update_failed_payment_status AJAX action, which does not enforce capability checks, nonce verification, or user authentication. Unauthenticated attackers who acquire a valid Stripe Payment Intent ID can exploit this flaw to alter previously successful transactions, marking them as failed or falsifying error codes and messages, leading to potential financial discrepancies and undermining the integrity of payment processing.

Affected Version(s)

Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions 0 <= 8.4.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-full-stripe...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 27, 2026
Vulnerability Reserved
Jun 16, 2026

Credit

Netwurm

CVE-2026-12432 Data

JSON