Description
The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent status without comparing the intent's charged amount against the expected payment amount, and the `verify_intent()` function validating only client secret ownership without binding intents to specific forms or actions. This makes it possible for unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to mark a high-value payment as complete, effectively bypassing payment for goods or services.
Published: 2026-03-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Payment Authorization Bypass
Action: Immediate Patch
AI Analysis

Impact

The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass, as described in the plugin source code where the Stripe Link return handler, key detail from plugin code: "handle_one_time_stripe_link_return_url", marks payment records as complete based solely on the Stripe PaymentIntent status without verifying the amount paid. The verify_intent() function validates only client secret ownership without binding the intent to specific forms or actions, allowing a malicious actor to reuse a low‑value PaymentIntent to incorrectly complete a high‑value payment. This flaw enables unauthenticated attackers to effectively bypass payment for goods or services, compromising financial integrity and potentially leading to revenue loss or fraudulent transaction approval.

Affected Systems

All installations of the Formidable Forms WordPress plugin by strategy11team up to and including version 6.28 are affected. The plugin’s marketplace listing confirms version 6.28 is the latest vulnerable release, and the issue persists through all earlier releases. No alternative versions or patches are listed as mitigated.

Risk and Exploitability

The vulnerability is rated CVSS 7.5 (High) with an EPSS score of less than 1%, indicating low current exploitation probability. It is not listed in the CISA KEV catalog, which suggests no publicly documented exploitation yet. The likely attack vector is unauthenticated, exploiting the payment intent reuse via the Stripe Link return URL. Attackers need only access the payment intent URL to trigger the bypass; no additional credentials are required. The impact is financial, affecting the confidentiality and integrity of transaction data and potentially leading to unauthorized revenue capture.

Generated by OpenCVE AI on March 19, 2026 at 14:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Formidable Forms to the latest version (>=6.29) to apply the vendor patch that fixes PaymentIntent validation.
  • After updating, verify that the Stripe integration validates payment intent amounts and limits reuse to the originating transaction.
  • If immediate update is not possible, disable or remove the Stripe Link feature until a patch is applied to prevent the bypass.
  • Monitor transactional logs for abnormal or repeated use of PaymentIntent IDs and alert on any discrepancies.

Generated by OpenCVE AI on March 19, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Strategy11team
Strategy11team formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Wordpress
Wordpress wordpress
Vendors & Products Strategy11team
Strategy11team formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent status without comparing the intent's charged amount against the expected payment amount, and the `verify_intent()` function validating only client secret ownership without binding intents to specific forms or actions. This makes it possible for unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to mark a high-value payment as complete, effectively bypassing payment for goods or services.
Title Formidable Forms <= 6.28 - Missing Authorization to Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Strategy11team Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-13T16:06:09.532Z

Reserved: 2026-02-20T17:24:41.038Z

Link: CVE-2026-2890

cve-icon Vulnrichment

Updated: 2026-03-13T16:06:05.987Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:34.897

Modified: 2026-03-16T14:54:11.293

Link: CVE-2026-2890

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:43Z

Weaknesses