CVE-2025-3479: 
WordPress vulnerability analysis and mitigation

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Order Replay in versions up to and including 1.42.0. The vulnerability was discovered on April 16, 2025, and assigned CVE-2025-3479. The issue exists in the 'handlestripesingle' function due to insufficient validation on a user-controlled key (NVD, WPScan).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) issue with a CVSS v3.1 Base Score of 5.3 (Medium). The flaw exists in the 'handlestripesingle' function where insufficient validation allows attackers to manipulate user-controlled keys. The vulnerability is tracked under CWE-354 (Improper Validation of Integrity Check Value) (WPScan).

This vulnerability allows unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. While only the first transaction is processed through Stripe, the plugin sends successful email messages for each transaction attempt. This behavior could deceive administrators into fulfilling multiple orders when only one payment has been made (NVD).

The vulnerability has been patched in version 1.42.1 of the Forminator Forms plugin. Users are advised to update to this version or later to protect against potential exploitation (WPScan).