CVE-2026-12432
Received Received - Intake

Unauthenticated Payment Status Update in WP Full Stripe Free

Publication date: 2026-06-27

Last updated on: 2026-06-27

Assigner: Wordfence

Description
The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is registered through both wp_ajax_ and wp_ajax_nopriv_ hooks and the underlying update_failed_payment_status() function performs no capability check, no nonce verification, and no logged-in check before calling $this->db->updatePaymentByEventId() with attacker-controlled POST parameters. This makes it possible for unauthenticated attackers who can obtain a valid Stripe Payment Intent ID for the target site (Payment Intent IDs are exposed to the customer browser during normal Stripe.js checkout flows) to manipulate payment records in the site's database, marking previously successful payments as failed and overwriting failure codes and messages with attacker-supplied values.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-27
Last Modified
2026-06-27
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-12432
EUVD
EUVD-2026-39957

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wp_full_stripe wp_full_stripe_free to 8.4.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WP Full Stripe Free plugin for WordPress has a vulnerability called Missing Authorization in versions up to and including 8.4.3. This occurs via the wpfs_update_failed_payment_status AJAX action, which is accessible to both authenticated and unauthenticated users. The function handling this action does not perform any capability checks, nonce verification, or logged-in checks before updating payment records in the database.

Because of this, an attacker who can obtain a valid Stripe Payment Intent ID (which is normally exposed to customers during Stripe.js checkout) can manipulate payment records on the site. Specifically, they can mark previously successful payments as failed and overwrite failure codes and messages with values they supply.

Impact Analysis

This vulnerability allows unauthenticated attackers to alter payment records on your WordPress site using the WP Full Stripe Free plugin. They can mark successful payments as failed and insert arbitrary failure codes and messages.

The impact includes potential disruption of payment processing records, causing confusion for both merchants and customers, possible financial discrepancies, and undermining trust in the payment system.

Detection Guidance

This vulnerability involves the wpfs_update_failed_payment_status AJAX action being accessible without authorization, allowing manipulation of payment records via attacker-controlled POST parameters.

To detect exploitation attempts on your system or network, you can monitor HTTP POST requests targeting the wpfs_update_failed_payment_status AJAX endpoint.

  • Use web server logs or network monitoring tools to filter for POST requests containing wpfs_update_failed_payment_status.
  • Example command using grep on Apache logs: grep 'POST.*wpfs_update_failed_payment_status' /var/log/apache2/access.log
  • Use tools like Wireshark or tcpdump to capture HTTP traffic and filter for POST requests to admin-ajax.php with the action parameter set to wpfs_update_failed_payment_status.
Mitigation Strategies

Immediate mitigation steps include updating the WP Full Stripe Free plugin to a version later than 8.4.3 where this vulnerability is fixed.

If an update is not immediately available, restrict access to the wpfs_update_failed_payment_status AJAX action by implementing capability checks, nonce verification, or limiting access to authenticated users only.

Additionally, monitor your payment records for suspicious changes and consider temporarily disabling the plugin if possible until a patch is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12432. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart