CVE-2026-2888
Received Received - Intake
Authorization Bypass in Formidable Forms Plugin Enables Payment Manipulation

Publication date: 2026-03-13

Last updated on: 2026-03-13

Assigner: Wordfence

Description
The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the `frm_strp_amount` AJAX handler (`update_intent_ajax`) overwriting the global `$_POST` data with attacker-controlled JSON input and then using those values to recalculate payment amounts via field shortcode resolution in `generate_false_entry()`. The handler relies on a nonce that is publicly exposed in the page's JavaScript (`frm_stripe_vars.nonce`), which provides CSRF protection but not authorization. This makes it possible for unauthenticated attackers to manipulate PaymentIntent amounts before payment completion on forms using dynamic pricing with field shortcodes, effectively paying a reduced amount for goods or services.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2888
EUVD
EUVD-2026-11766
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
formidable_forms formidable_forms to 6.28 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Formidable Forms plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 6.28. This occurs because the AJAX handler `frm_strp_amount` (also known as `update_intent_ajax`) overwrites the global `$_POST` data with attacker-controlled JSON input. It then uses these manipulated values to recalculate payment amounts through field shortcode resolution in the function `generate_false_entry()`.

Although the handler uses a nonce for CSRF protection, this nonce is publicly exposed in the page's JavaScript, which means it does not provide proper authorization. As a result, unauthenticated attackers can manipulate PaymentIntent amounts before payment completion on forms that use dynamic pricing with field shortcodes.

Impact Analysis

This vulnerability allows unauthenticated attackers to pay reduced amounts for goods or services by manipulating the payment amounts on forms using dynamic pricing. Essentially, attackers can bypass authorization controls to alter payment amounts before the payment is completed.

  • Financial loss due to underpayment.
  • Potential revenue loss for businesses using the affected plugin.
  • Damage to trust and reputation if customers or attackers exploit this flaw.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2888. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart