CVE-2026-12432 themeisle CVE debrief

Who should care

Administrators of WordPress sites using the WP Full Stripe Free plugin, especially those processing payments through Stripe, should be aware of this vulnerability. Obtaining a valid Stripe Payment Intent ID is a prerequisite for exploitation, which may be accessible through normal Stripe.js checkout flows. Site owners should prioritize updating to a patched version of the plugin.

Technical summary

The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization due to a lack of proper checks in the wpfs_update_failed_payment_status AJAX action. This action is registered via both wp_ajax_ and wp_ajax_nopriv_ hooks, allowing unauthenticated access. The update_failed_payment_status() function does not perform capability checks, nonce verification, or logged-in checks before updating payment records. Attackers can exploit this by manipulating POST parameters to alter payment statuses and details in the site's database, provided they have a valid Stripe Payment Intent ID for the target site.

Defensive priority

High priority should be given to updating the WP Full Stripe Free plugin to a version that addresses this vulnerability. Site administrators should also review their Stripe payment intent IDs for exposure and consider implementing additional monitoring for suspicious payment record changes.

Recommended defensive actions

• Update WP Full Stripe Free plugin to the latest version.
• Review Stripe payment intent IDs for exposure.
• Implement monitoring for suspicious payment record changes.
• Consider restricting access to sensitive payment information.
• Regularly review and update plugins and themes.

Evidence notes

The CVE-2026-12432 record and associated details were obtained from the National Vulnerability Database (NVD) and CVE.org. The vulnerability was reported by [email protected]. The WP Full Stripe Free plugin's code and version details were examined through the WordPress plugin repository.

Official resources