We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: Formidable Forms Plugin Vulnerability (CVE-2026-2888)

Nick Paliughi
On this page

Security Alert Summary

The Formidable Forms plugin for WordPress contains an authorization bypass that can allow unauthenticated attackers to manipulate payment amounts on forms using dynamic pricing with field shortcodes. The issue stems from an AJAX handler that accepts attacker-controlled JSON, overwrites $_POST, and uses those values to recalculate PaymentIntent amounts before payment completion.

CVE Details

  • CVE ID: CVE-2026-2888
  • Affected plugin / component: Formidable Forms plugin for WordPress
  • Affected versions: All versions up to and including 6.28
  • Published: March 13, 2026 at 7:54:34 PM UTC
  • Last modified: March 13, 2026 at 7:54:34 PM UTC
  • CVSS v3.1: Base score 5.3 — MEDIUM
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • Authentication / Privileges / User interaction: No authentication required; PR:N; no user interaction required
  • Primary impact: Confidentiality: None; Integrity: Low; Availability: None
  • CWE / weakness: CWE-639
  • Fixed version: Not specified in the CVE entry

Technical Details

This vulnerability is an authorization bypass involving the Formidable Forms Stripe integration. The issue is triggered by the frm_strp_amount AJAX handler (also referenced as update_intent_ajax), which accepts JSON input from user-controlled data and overwrites the global $_POST array with that content. After this overwrite, the plugin recalculates payment amounts by resolving field shortcodes via generate_false_entry(), using the attacker-supplied values rather than server-validated data.

The AJAX handler relies on a nonce value exposed in page JavaScript (frm_stripe_vars.nonce). While the nonce provides CSRF protection, the CVE notes that it does not provide authorization, and therefore does not prevent unauthenticated manipulation of the payment amount in this flow. As described, an attacker can alter the PaymentIntent amount before payment completion on forms that use dynamic pricing populated by field shortcodes.

How This Could Impact Your Website

Imagine a site owner running a store or accepting payments via a Formidable form that uses dynamic pricing (field shortcodes). An unauthenticated attacker could manipulate a form submission so the PaymentIntent amount is reduced before the payment is completed. This could result in customers paying less than the intended price, incorrect order fulfillment, accounting discrepancies, and increased risk of chargebacks or disputes.

The vulnerability affects the integrity of payment amounts rather than disclosing user data (Confidentiality: None). However, financial discrepancies and fraudulent transactions can still create operational and reputational issues for site owners, staff, and contractors who manage orders and billing. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available (no fixed version is specified in the CVE entry).
  • Review and reduce unnecessary user roles and permissions, especially for contributors who can edit forms or payment-related settings.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins, and audit plugins that handle payments or sensitive business logic.
  • Monitor site activity and payment logs for unusual behavior, unexpected price changes, or increased chargebacks.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: GetGenie Plugin Vulnerability (CVE-2026-2879)
Next Post
WordPress Security Bulletin: Social Icons Widget & Block by WPZOOM (CVE-2026-4063)