Primary

Context

Forminator WordPress Plugin Authorization Bypass Vulnerability Allowing Payment Bypass

Vulnerability

Patched

A vulnerability exists in the Forminator plugin for WordPress, specifically in versions up to and including 1.52.0. The issue stems from the plugin's failure to properly verify user authorization when handling Stripe PaymentIntent identifiers in the public payment flow. This oversight allows unauthenticated attackers to exploit the system by reusing low-value PaymentIntents to complete high-value paid forms, creating conditions for underpayment or payment bypass.

Impact

Exploitation of this vulnerability allows for unauthorized completion of paid forms, leading to underpayment or payment bypass.

Remediation

Users are advised to update the Forminator plugin to version 1.52.1 or later.

Added: May 5, 2026, 7:23 AM

Updated: May 5, 2026, 7:23 AM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

6.9

remediation

7.7

relevance

7.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

6.9

remediation

7.7

relevance

7.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Forminator WordPress Plugin Authorization Bypass Vulnerability Allowing Payment Bypass

Vulnerability

Impact

Remediation

Affected Products

WPMU DEV Forminator

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating