CVE-2026-2890
Received Received - Intake
Payment Integrity Bypass in Formidable Forms WordPress Plugin

Publication date: 2026-03-13

Last updated on: 2026-03-13

Assigner: Wordfence

Description
The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent status without comparing the intent's charged amount against the expected payment amount, and the `verify_intent()` function validating only client secret ownership without binding intents to specific forms or actions. This makes it possible for unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to mark a high-value payment as complete, effectively bypassing payment for goods or services.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-13
Generated
2026-05-07
AI Q&A
2026-03-13
EPSS Evaluated
2026-05-05
NVD
CVE-2026-2890
EUVD
EUVD-2026-11756
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
formidable_forms formidable_forms to 6.28 (inc)
formidable formidable_forms to 6.28 (inc)
formidableforms formidable_forms to 6.28 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Formidable Forms plugin for WordPress has a vulnerability in its payment processing system up to version 6.28. The issue arises because the plugin marks payment records as complete based only on the Stripe PaymentIntent status, without verifying that the charged amount matches the expected payment amount. Additionally, the verification function only checks client secret ownership and does not bind the payment intents to specific forms or actions. This allows unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to falsely mark a high-value payment as complete, bypassing the actual payment.


How can this vulnerability impact me? :

This vulnerability can lead to financial loss because attackers can bypass payment requirements by reusing low-value payment intents to mark high-value payments as complete without actually paying. This means goods or services could be obtained without proper payment, potentially causing revenue loss and undermining trust in the payment system.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart