Payment Integrity Bypass in Formidable Forms Plugin for WordPress
CVE-2026-2890
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 13 March 2026
What is CVE-2026-2890?
The Formidable Forms plugin for WordPress has a vulnerability that allows unauthenticated attackers to bypass payment integrity. This occurs because the plugin's Stripe Link return handler marks payment records as complete based solely on the Stripe PaymentIntent status. The handler does not compare the charged amount against the expected payment amount. Moreover, the verification process only checks for client secret ownership without ensuring that PaymentIntents are bound to specific forms or actions. As a result, attackers can reuse a PaymentIntent from a previously completed low-value payment to validate a new high-value payment, successfully completing the transaction without proper authorization.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
Formidable Forms β Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder * <= 6.28