CVE-2026-2888 in Formidable Forms Plugin
Summary
by MITRE • 03/13/2026
The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the `frm_strp_amount` AJAX handler (`update_intent_ajax`) overwriting the global `$_POST` data with attacker-controlled JSON input and then using those values to recalculate payment amounts via field shortcode resolution in `generate_false_entry()`. The handler relies on a nonce that is publicly exposed in the page's JavaScript (`frm_stripe_vars.nonce`), which provides CSRF protection but not authorization. This makes it possible for unauthenticated attackers to manipulate PaymentIntent amounts before payment completion on forms using dynamic pricing with field shortcodes, effectively paying a reduced amount for goods or services.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified as CVE-2026-2888 affects the Formidable Forms plugin for WordPress, specifically impacting versions up to and including 6.28. This authorization bypass flaw stems from a critical design weakness in how the plugin handles AJAX requests for payment processing through its Stripe integration. The vulnerability manifests in the `frm_strp_amount` AJAX handler which is part of the `update_intent_ajax` functionality, creating a dangerous path for unauthorized manipulation of payment transactions.
The technical exploitation occurs through a sophisticated manipulation of global POST data where the vulnerable handler overwrites the standard `$_POST` variables with attacker-controlled JSON input. This malicious data substitution happens before the payment amount calculation process begins, allowing attackers to inject arbitrary values that are then processed through the `generate_false_entry()` function. The system's reliance on field shortcode resolution for payment amount calculation creates a secondary attack vector where dynamic pricing elements can be manipulated to reflect incorrect monetary values. This represents a classic case of insecure data handling where user input is directly trusted without proper validation or authorization checks, aligning with CWE-20: Improper Input Validation and CWE-862: Missing Authorization.
The operational impact of this vulnerability is severe for businesses relying on Formidable Forms for e-commerce transactions, particularly those utilizing dynamic pricing features. Unauthenticated attackers can manipulate payment intents to reduce the amount owed for goods or services, effectively enabling fraud without requiring valid user credentials or payment authorization. The vulnerability is particularly dangerous because the nonce used for CSRF protection is publicly exposed in the page's JavaScript through `frm_stripe_vars.nonce`, which provides protection against cross-site request forgery but offers no authorization safeguards. This means that any visitor to a vulnerable website can potentially exploit the flaw, making it a high-risk issue for online businesses and service providers. The attack requires no authentication and can be executed through standard web browsing activities, presenting a significant threat to payment integrity and financial security.
Mitigation strategies should focus on immediate plugin updates to versions that address this authorization bypass vulnerability, as the developers have likely implemented proper nonce validation and input sanitization. Organizations should also consider implementing additional monitoring of AJAX endpoints and payment processing activities to detect anomalous transaction patterns. Network-level protections such as rate limiting and IP-based restrictions on AJAX handlers can provide additional defense in depth. The vulnerability demonstrates the importance of proper authorization checks in web applications and aligns with ATT&CK technique T1548.003: Steal or Forge Authentication Certificates, as it allows unauthorized users to effectively bypass authentication mechanisms for payment processing. Security teams should also review other plugins and themes for similar patterns of global data overwriting and inadequate input validation, particularly in payment-related functionality. Organizations using dynamic pricing features should implement additional validation layers to ensure that calculated amounts match expected business logic and are not susceptible to manipulation through field shortcode resolution processes.