Authorization Bypass Vulnerability in Formidable Forms Plugin by WordPress
CVE-2026-2888
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 13 March 2026
What is CVE-2026-2888?
The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass, allowing unauthenticated users to exploit the system. This occurs through the frm_strp_amount AJAX handler, which fails to adequately verify the user's authorization and accepts attacker-controlled JSON input. Consequently, attackers can manipulate PaymentIntent amounts during the payment process, especially on forms utilizing dynamic pricing with field shortcodes. This vulnerability is exacerbated by a nonce that is publicly available in JavaScript, providing CSRF protection without sufficient authorization checks, thereby giving attackers the potential to significantly alter transaction values.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
Formidable Forms β Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder * <= 6.28