Description
The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the `frm_strp_amount` AJAX handler (`update_intent_ajax`) overwriting the global `$_POST` data with attacker-controlled JSON input and then using those values to recalculate payment amounts via field shortcode resolution in `generate_false_entry()`. The handler relies on a nonce that is publicly exposed in the page's JavaScript (`frm_stripe_vars.nonce`), which provides CSRF protection but not authorization. This makes it possible for unauthenticated attackers to manipulate PaymentIntent amounts before payment completion on forms using dynamic pricing with field shortcodes, effectively paying a reduced amount for goods or services.
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Payment Amount Manipulation
Action: Immediate Patch
AI Analysis

Impact

The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass that allows an attacker to manipulate the amount charged on a payment form. The flaw lies in the frm_strp_amount AJAX handler (update_intent_ajax), which overwrites the global $_POST data with attacker‑controlled JSON and then recalculates payment amounts by resolving field shortcodes in generate_false_entry(). Because the handler relies only on a publicly exposed nonce for CSRF protection, it does not provide proper authorization. An unauthenticated attacker can submit a crafted AJAX request to reduce the amount paid on forms that use dynamic pricing and Stripe payment integration, leading to potential financial loss for the site owner.

Affected Systems

All releases of the strategy11team Formidable Forms plugin up to and including version 6.28 are affected. The vulnerability impacts WordPress sites that use those plugin versions and enable Stripe payment integration with dynamic pricing field shortcodes. No other vendors or product lines are reported as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score is below 1%, suggesting a currently low probability of widespread exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw without authentication by sending a crafted AJAX request to the update_intent_ajax action from any external origin; the publicly exposed nonce does not prevent this. The impact is primarily financial loss, and the attacker only needs internet connectivity and knowledge of the WordPress admin‑ajax endpoint. Overall, the risk is moderate but should be mitigated promptly.

Generated by OpenCVE AI on March 19, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Formidable Forms plugin to a version newer than 6.28 to remove the vulnerable AJAX handler.
  • If an immediate upgrade is not possible, disable the Stripe payment integration or block access to the update_intent_ajax endpoint to prevent unauthorized payment manipulation.
  • Monitor the vendor's security advisories for further patches and apply any updates as soon as they become available.

Generated by OpenCVE AI on March 19, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Strategy11team
Strategy11team formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Wordpress
Wordpress wordpress
Vendors & Products Strategy11team
Strategy11team formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the `frm_strp_amount` AJAX handler (`update_intent_ajax`) overwriting the global `$_POST` data with attacker-controlled JSON input and then using those values to recalculate payment amounts via field shortcode resolution in `generate_false_entry()`. The handler relies on a nonce that is publicly exposed in the page's JavaScript (`frm_stripe_vars.nonce`), which provides CSRF protection but not authorization. This makes it possible for unauthenticated attackers to manipulate PaymentIntent amounts before payment completion on forms using dynamic pricing with field shortcodes, effectively paying a reduced amount for goods or services.
Title Formidable Forms <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Strategy11team Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-13T16:04:08.409Z

Reserved: 2026-02-20T17:11:27.201Z

Link: CVE-2026-2888

cve-icon Vulnrichment

Updated: 2026-03-13T16:04:05.024Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:34.707

Modified: 2026-03-16T14:54:11.293

Link: CVE-2026-2888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:39Z

Weaknesses