CVE-2025-3479

Name of the Vulnerable Software and Affected Versions The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress versions up to, and including, 1.42.0

Description The issue allows unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions due to insufficient validation on a user-controlled key in the handle stripe single function. This results in the plugin sending a successful email message for each transaction, potentially tricking an administrator into fulfilling each order, even though only the first transaction is processed via Stripe.

Recommendations For versions up to, and including, 1.42.0, update to a version that includes a fix for this issue to prevent the reuse of Stripe PaymentIntent for multiple transactions. As a temporary workaround, consider disabling the handle stripe single function until a patch is available to minimize the risk of exploitation.