CVE-2026-2729 Overview
CVE-2026-2729 is an authorization bypass vulnerability in the Forminator plugin for WordPress affecting all versions up to and including 1.52.0. The plugin fails to verify that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. Unauthenticated attackers can submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent. This results in underpayment and payment bypass conditions on sites that monetize forms through Stripe. The flaw is classified under CWE-639 (Authorization Bypass Through User-Controlled Key).
Critical Impact
Unauthenticated attackers can replay low-value Stripe PaymentIntent identifiers to mark high-value paid form submissions as completed, causing financial loss to site operators.
Affected Products
- Forminator plugin for WordPress, all versions up to and including 1.52.0
- WordPress sites using Forminator with Stripe payment integration
- Sites accepting variable or tiered payments through Forminator forms
Discovery Timeline
- 2026-05-05 - CVE-2026-2729 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-2729
Vulnerability Analysis
The Forminator plugin integrates with Stripe to collect payments through WordPress forms. During submission, the plugin processes a PaymentIntent identifier provided by the client to confirm payment status. The vulnerable code path trusts the client-supplied identifier without verifying that the referenced PaymentIntent corresponds to the current submission, the expected amount, or an authorized session.
An unauthenticated attacker first completes a legitimate low-value payment on the same site to obtain a succeeded PaymentIntent ID. The attacker then submits a separate, higher-value form and replaces the new PaymentIntent reference with the previously succeeded low-value ID. The plugin queries Stripe, sees a succeeded status, and marks the high-value submission as paid.
The issue is a logic flaw in the public payment flow rather than a memory or injection bug. It enables underpayment without requiring authentication, valid credentials, or user interaction. See the Wordfence Vulnerability Report for additional analysis.
Root Cause
The root cause is missing authorization and binding checks between a submitted form instance and the PaymentIntent identifier supplied by the client. The plugin does not validate that the PaymentIntent was created for the specific form, amount, currency, and session being processed. This matches the CWE-639 pattern of authorization through a user-controlled key.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker performs one valid low-value payment to capture a succeeded PaymentIntent ID. The attacker then submits a higher-priced form and reuses that ID in the public submission endpoint. The plugin reports the submission as paid, and the form action completes without the correct charge being made.
The vulnerability is described in prose because no public proof-of-concept code is referenced in the advisory. Technical fix details are available in the WordPress Plugin Changeset.
Detection Methods for CVE-2026-2729
Indicators of Compromise
- Multiple Forminator submissions referencing the same Stripe PaymentIntent ID across different form entries
- Submissions marked as paid where the recorded amount does not match the form's configured price
- Stripe dashboard showing fewer or smaller charges than the count of completed paid form entries in WordPress
- Repeated POSTs to Forminator submission endpoints from the same IP with varying form IDs but identical payment_intent values
Detection Strategies
- Reconcile Forminator entry logs against Stripe charge history and flag any entry whose PaymentIntent ID is reused or whose amount is below the form's configured price.
- Inspect WordPress access logs for POST requests to Forminator AJAX endpoints (admin-ajax.php with Forminator submission actions) carrying client-supplied payment_intent parameters.
- Review web application firewall (WAF) logs for high-frequency form submissions originating from a small set of source IPs.
Monitoring Recommendations
- Enable Stripe webhook logging and alert when a single PaymentIntent is referenced by more than one downstream order or submission.
- Monitor the Forminator submissions table for entries with payment_status = success but missing or mismatched charge metadata.
- Track outbound API calls from WordPress to api.stripe.com and correlate with submission counts to detect divergence.
How to Mitigate CVE-2026-2729
Immediate Actions Required
- Update the Forminator plugin to the patched release published after version 1.52.0 as referenced in the WordPress Plugin Changeset 3500669.
- Audit all Forminator entries created since the plugin was installed to identify reused PaymentIntent IDs and underpaid submissions.
- Reconcile WordPress form revenue against Stripe charge totals for the affected period and dispute or reverse fulfillment for unpaid submissions.
Patch Information
The vendor addressed the issue in the changeset published at plugins.trac.wordpress.org/changeset/3500669/forminator. The fix introduces server-side validation that binds the PaymentIntent identifier to the specific form submission, expected amount, and currency before marking the entry as paid. Site operators must update to the fixed release through the WordPress plugin updater or by replacing the plugin files manually.
Workarounds
- Disable Stripe payment integration in Forminator forms until the plugin is updated.
- Temporarily deactivate Forminator on sites that cannot be patched immediately and route payments through a hosted Stripe Checkout link instead.
- Restrict access to Forminator submission endpoints via WAF rules that require a valid CSRF token and rate-limit POSTs to admin-ajax.php actions used by the plugin.
# Example WAF rule (ModSecurity) to block reused PaymentIntent IDs
# Track payment_intent values seen in Forminator submissions
SecRule ARGS:payment_intent "@rx ^pi_[A-Za-z0-9]+$" \
"id:1002729,phase:2,deny,status:403,\
msg:'Forminator PaymentIntent reuse blocked (CVE-2026-2729)',\
chain"
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain"
SecRule ARGS:action "@rx forminator_submit_form"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
