Forminator < 1.52.1 – Unauthenticated Missing Authorization to Payment Bypass | CVE 2026-2729 | Plugin Vulnerabilities

Description

The plugin is vulnerable to authorization bypass due to insufficient verification of user authorization when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. This makes it possible for unauthenticated attackers to submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent, resulting in underpayment/payment bypass conditions.

Affects Plugins

Fixed in 1.52.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1afb94ab-b3ba-4598-8ff4-f9ffc6717371

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Kittipat Jitphonchana

Verified

No

WPVDB ID

b14c385c-42a2-451e-b8cb-b680483a47a0

Timeline

Publicly Published

2026-05-04 (about 10 days ago)

Added

2026-05-05 (about 9 days ago)

Last Updated

2026-05-05 (about 9 days ago)

Other

Published

Title

Published

2022-11-14

Title

TeraWallet - For WooCommerce < 1.4.4 - Subscriber+ Arbitrary Wallet Lock/Unlock via IDOR

Published

2025-11-20

Title

ELEX WordPress HelpDesk & Customer Ticketing System < 3.3.0 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'eh_crm_ticket_single_view_client'

Published

2024-09-03

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.9 - Insecure Direct Object Reference

Published

2025-09-03

Title

wpForo Forum < 2.4.7 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2025-09-17

Title

Chained Quiz < 1.3.6 - Unauthenticated Insecure Direct Object Reference via Cookie