Forminator Forms WordPress Plugin Order Replay Vulnerability

A vulnerability allowing order replay has been identified in the Forminator Forms WordPress plugin, specifically in versions through 1.42.0. The issue arises in the 'handle_stripe_single' function, where inadequate validation of a user-controlled key allows unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. While only the initial transaction is processed via Stripe, the plugin erroneously sends a successful email notification for each transaction, potentially misleading administrators into fulfilling each order.

Impact

Exploitation of this vulnerability could lead to unauthorized reuse of Stripe PaymentIntents, allowing attackers to create multiple transactions for a single payment, while deceiving administrators with false order fulfillment notifications.

Reproduction

To reproduce this vulnerability, submit a form using the Forminator plugin that includes a Stripe payment field. During the submission, the 'stripe-intent' parameter can be manipulated to reuse a PaymentIntent, taking advantage of the insufficient validation. After the form is submitted, the plugin will process the payment for the first transaction via Stripe, but will also send confirmation emails for each subsequent transaction that reused the PaymentIntent. This can create the illusion of multiple orders being placed, when in fact, only one payment was made.

Remediation

Users are advised to update the Forminator plugin to version 1.42.1 or later, where this vulnerability has been patched.