CVE-2026-2729
Authorization Bypass in Forminator WordPress Plugin
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpform | forminator | to 1.52.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Forminator plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 1.52.0. This occurs because the plugin does not properly verify whether a user is authorized to perform certain actions when processing Stripe PaymentIntent identifiers supplied by an attacker in the public payment flow.
As a result, unauthenticated attackers can reuse previously succeeded low-value Stripe PaymentIntent identifiers to submit high-value paid forms as completed, effectively bypassing payment requirements.
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass payment by submitting high-value forms as completed without actually paying the required amount. This can lead to financial loss for the website owner or business using the Forminator plugin.
Since the vulnerability allows unauthorized submission of paid forms, it undermines the integrity of payment processing and could result in underpayment or loss of revenue.