CVE-2026-2890
Received Received - Intake
Payment Integrity Bypass in Formidable Forms WordPress Plugin

Publication date: 2026-03-13

Last updated on: 2026-03-13

Assigner: Wordfence

Description
The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent status without comparing the intent's charged amount against the expected payment amount, and the `verify_intent()` function validating only client secret ownership without binding intents to specific forms or actions. This makes it possible for unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to mark a high-value payment as complete, effectively bypassing payment for goods or services.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2890
EUVD
EUVD-2026-11756
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
formidable_forms formidable_forms to 6.28 (inc)
formidable formidable_forms to 6.28 (inc)
formidableforms formidable_forms to 6.28 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Formidable Forms plugin for WordPress has a vulnerability in its payment processing system up to version 6.28. The issue arises because the plugin marks payment records as complete based only on the Stripe PaymentIntent status, without verifying that the charged amount matches the expected payment amount. Additionally, the verification function only checks client secret ownership and does not bind the payment intents to specific forms or actions. This allows unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to falsely mark a high-value payment as complete, bypassing the actual payment.

Impact Analysis

This vulnerability can lead to financial loss because attackers can bypass payment requirements by reusing low-value payment intents to mark high-value payments as complete without actually paying. This means goods or services could be obtained without proper payment, potentially causing revenue loss and undermining trust in the payment system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2890. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart