CVE-2026-2888
Received Received - Intake
Authorization Bypass in Formidable Forms Plugin Enables Payment Manipulation

Publication date: 2026-03-13

Last updated on: 2026-03-13

Assigner: Wordfence

Description
The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the `frm_strp_amount` AJAX handler (`update_intent_ajax`) overwriting the global `$_POST` data with attacker-controlled JSON input and then using those values to recalculate payment amounts via field shortcode resolution in `generate_false_entry()`. The handler relies on a nonce that is publicly exposed in the page's JavaScript (`frm_stripe_vars.nonce`), which provides CSRF protection but not authorization. This makes it possible for unauthenticated attackers to manipulate PaymentIntent amounts before payment completion on forms using dynamic pricing with field shortcodes, effectively paying a reduced amount for goods or services.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-13
Generated
2026-05-07
AI Q&A
2026-03-13
EPSS Evaluated
2026-05-05
NVD
CVE-2026-2888
EUVD
EUVD-2026-11766
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
formidable_forms formidable_forms to 6.28 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Formidable Forms plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 6.28. This occurs because the AJAX handler `frm_strp_amount` (also known as `update_intent_ajax`) overwrites the global `$_POST` data with attacker-controlled JSON input. It then uses these manipulated values to recalculate payment amounts through field shortcode resolution in the function `generate_false_entry()`.

Although the handler uses a nonce for CSRF protection, this nonce is publicly exposed in the page's JavaScript, which means it does not provide proper authorization. As a result, unauthenticated attackers can manipulate PaymentIntent amounts before payment completion on forms that use dynamic pricing with field shortcodes.


How can this vulnerability impact me? :

This vulnerability allows unauthenticated attackers to pay reduced amounts for goods or services by manipulating the payment amounts on forms using dynamic pricing. Essentially, attackers can bypass authorization controls to alter payment amounts before the payment is completed.

  • Financial loss due to underpayment.
  • Potential revenue loss for businesses using the affected plugin.
  • Damage to trust and reputation if customers or attackers exploit this flaw.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart