cleantalk
Vulnerabilities and Security Researches

Forminator – Contact Form, Payment Form & Custom Form Builder, CVE-2025-3479

CVE, Research URL

CVE-2025-3479

Home page URL

Security reports for Forminator – Contact Form, Payment Form & Custom Form Builder

Application

Forminator – Contact Form, Payment Form & Custom Form Builder

Published on
Apr 17, 2025
Research Description
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 1.42.0 via the 'handle_stripe_single' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.
Affected versions
Min -, max 1.42.1.
Status
vulnerable
Previous vulnerability researches
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity (CVE-2024-12544) , Mar 02, 2025
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity (CVE-2025-32256) , Apr 05, 2025
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity (CVE-2025-32167) , Apr 05, 2025
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity (CVE-2024-50427) , Oct 27, 2024
New vulnerability
Cost Calculator Builder (CVE-2025-39587) , Apr 19, 2025
Klarna Checkout for WooCommerce (CVE-2024-13925) , Apr 19, 2025
WordPress Button Plugin MaxButtons (CVE-2025-39444) , Apr 19, 2025
Course Booking System (CVE-2025-32508) , Apr 19, 2025
Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Wo (CVE-2025-39588) , Apr 19, 2025