Medium severity5.3NVD Advisory· Published May 5, 2026· Updated May 5, 2026
CVE-2026-2729
CVE-2026-2729
Description
The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. This makes it possible for unauthenticated attackers to submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent, resulting in underpayment/payment bypass conditions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=1.52.0
Patches
Vulnerability mechanics
References
2News mentions
2- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 11, 2026 to May 17, 2026)Wordfence Blog · May 21, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 4, 2026 to May 10, 2026)Wordfence Blog · May 14, 2026