Security Alert Summary
The Formidable Forms plugin for WordPress contains a payment integrity bypass (CVE-2026-2890) that can allow an attacker to mark high-value payments as complete by reusing a previously completed low-value Stripe PaymentIntent. The issue is caused by incomplete validation in the Stripe Link return handler and the intent verification logic.
CVE Details
- CVE ID: CVE-2026-2890
- Affected plugin or component: Formidable Forms plugin for WordPress
- Affected versions: All versions up to and including 6.28
- Published date: March 13, 2026 at 7:54:34 PM UTC
- Last modified date: March 13, 2026 at 7:54:34 PM UTC
- CVSS v3.1: Base Score 7.5, Severity: HIGH, Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N - Authentication / privileges / user interaction: Privileges Required: NONE; User Interaction: NONE; Authentication: none specified (unauthenticated attacker possible)
- Primary impact: Confidentiality: NONE; Integrity: HIGH; Availability: NONE
- CWE / weakness ID: CWE-862
Technical Details
According to the CVE description, the vulnerability exists because the Stripe Link return handler (handle_one_time_stripe_link_return_url) marks payment records as complete based solely on the Stripe PaymentIntent status. The code does not compare the PaymentIntent’s charged amount against the expected payment amount. In addition, the verify_intent() function validates only ownership of the client secret and does not bind intents to specific forms or actions.
These deficiencies allow an attacker to reuse a PaymentIntent from an already completed low-value payment and present it as proof of payment for a different, higher-value transaction. The core issue is missing binding and amount verification between the PaymentIntent and the form/payment record rather than a flaw in Stripe itself.
How This Could Impact Your Website
Imagine a site owner running paid forms (orders, registrations, or paid downloads) using Formidable Forms. Internal staff process orders and an external contractor performs test transactions. If an attacker can obtain or reuse a previously completed low-value PaymentIntent, they could submit it against a different form instance to mark a higher-value order as paid.
Practical consequences include delivery of goods or services without receiving the expected payment, increased likelihood of chargebacks, inventory discrepancies, and fraud-related accounting or administrative burdens. The vulnerability impacts payment integrity specifically and does not imply arbitrary site takeover or data exposure beyond what the CVE describes.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (Fixed version is not specified in the CVE entry.)
- Review and reduce unnecessary user roles, especially contributors and other non-administrative roles that can submit forms or process payments.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce your attack surface.
- Monitor site activity and order/payment logs for unusual behavior, duplicate intents, or mismatched amounts.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteHooksController.php#L92
- https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteLinkController.php#L429
- https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteLinkController.php#L79
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ebb4bc5a-9469-4733-acf3-d2dda5edb7af?source=cve
