CVE-2026-2890 in Formidable Forms Plugin
Summary
by MITRE • 03/13/2026
The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent status without comparing the intent's charged amount against the expected payment amount, and the `verify_intent()` function validating only client secret ownership without binding intents to specific forms or actions. This makes it possible for unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to mark a high-value payment as complete, effectively bypassing payment for goods or services.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified in CVE-2026-2890 represents a critical payment integrity flaw within the Formidable Forms WordPress plugin affecting versions up to and including 6.28. This security weakness stems from inadequate validation mechanisms in the Stripe Link payment processing workflow, specifically within the handle_one_time_stripe_link_return_url function and verify_intent function. The flaw creates a scenario where attackers can exploit the payment verification process to bypass payment requirements for high-value transactions by leveraging legitimate PaymentIntent objects from previous low-value payments.
The technical implementation of this vulnerability resides in the insufficient validation logic that governs payment intent processing. The system fails to establish proper correlation between the PaymentIntent's charged amount and the expected payment amount, creating a critical gap in the payment verification process. According to CWE-347, this represents a weakness in authentication and authorization mechanisms where the system does not properly validate the integrity of authentication tokens or payment data. The verify_intent function's validation approach only confirms client secret ownership without establishing binding relationships between PaymentIntents and specific forms or payment actions, allowing for cross-contamination of payment records.
The operational impact of this vulnerability extends beyond simple financial loss, creating potential security implications for e-commerce platforms utilizing Formidable Forms with Stripe integration. An unauthenticated attacker could manipulate payment records to mark high-value transactions as complete without actual payment, effectively enabling unauthorized access to premium services or products. This type of attack aligns with ATT&CK technique T1078.004, which involves legitimate credential access through the manipulation of payment systems. The vulnerability particularly affects online businesses where payment integrity is paramount, potentially leading to significant revenue loss and customer trust erosion.
Mitigation strategies for this vulnerability must address the fundamental flaws in the payment verification logic. The primary fix requires implementing proper amount validation that compares the PaymentIntent's charged amount against the expected payment amount before marking any transaction as complete. Additionally, the verify_intent function should be enhanced to bind PaymentIntents to specific forms and payment actions, ensuring that PaymentIntent objects cannot be reused across different transactions. Security measures should include implementing transaction-specific validation tokens and maintaining detailed audit trails of payment intent usage. Organizations should also consider implementing additional monitoring mechanisms to detect unusual payment pattern behaviors and establish proper input validation for all payment-related parameters to prevent similar vulnerabilities in the future.