{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2890", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-20T17:24:41.038Z", "datePublished": "2026-03-13T07:23:39.586Z", "dateUpdated": "2026-04-08T17:31:16.361Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:16.361Z"}, "affected": [{"vendor": "strategy11team", "product": "Formidable Forms \u2013 Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.28", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent status without comparing the intent's charged amount against the expected payment amount, and the `verify_intent()` function validating only client secret ownership without binding intents to specific forms or actions. This makes it possible for unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to mark a high-value payment as complete, effectively bypassing payment for goods or services."}], "title": "Formidable Forms <= 6.28 - Missing Authorization to Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ebb4bc5a-9469-4733-acf3-d2dda5edb7af?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteLinkController.php#L429"}, {"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteLinkController.php#L79"}, {"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteHooksController.php#L92"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Andr\u00e9s Cruciani"}], "timeline": [{"time": "2026-03-12T19:21:57.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T16:06:03.403316Z", "id": "CVE-2026-2890", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:06:09.532Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2890", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T16:06:03.403316Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:06:05.987Z"}}], "cna": {"title": "Formidable Forms <= 6.28 - Missing Authorization to Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse", "credits": [{"lang": "en", "type": "finder", "value": "Andr\u00e9s Cruciani"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}], "affected": [{"vendor": "strategy11team", "product": "Formidable Forms \u2013 Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.28"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-12T19:21:57.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ebb4bc5a-9469-4733-acf3-d2dda5edb7af?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteLinkController.php#L429"}, {"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteLinkController.php#L79"}, {"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteHooksController.php#L92"}], "descriptions": [{"lang": "en", "value": "The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent status without comparing the intent's charged amount against the expected payment amount, and the `verify_intent()` function validating only client secret ownership without binding intents to specific forms or actions. This makes it possible for unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to mark a high-value payment as complete, effectively bypassing payment for goods or services."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:16.361Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2890", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:31:16.361Z", "dateReserved": "2026-02-20T17:24:41.038Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-13T07:23:39.586Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent status without comparing the intent's charged amount against the expected payment amount, and the `verify_intent()` function validating only client secret ownership without binding intents to specific forms or actions. This makes it possible for unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to mark a high-value payment as complete, effectively bypassing payment for goods or services."}, {"lang": "es", "value": "El plugin Formidable Forms para WordPress es vulnerable a una elusi\u00f3n de la integridad de pago en todas las versiones hasta la 6.28, inclusive. Esto se debe a que el gestor de retorno de Stripe Link ('handle_one_time_stripe_link_return_url') marca los registros de pago como completados bas\u00e1ndose \u00fanicamente en el estado del PaymentIntent de Stripe sin comparar el importe cobrado del intent con el importe de pago esperado, y a que la funci\u00f3n 'verify_intent()' valida solo la propiedad del secreto del cliente sin vincular los intents a formularios o acciones espec\u00edficos. Esto hace posible que atacantes no autenticados reutilicen un PaymentIntent de un pago de bajo valor completado para marcar un pago de alto valor como completado, eludiendo eficazmente el pago de bienes o servicios."}], "id": "CVE-2026-2890", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-13T19:54:34.897", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteHooksController.php#L92"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteLinkController.php#L429"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteLinkController.php#L79"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ebb4bc5a-9469-4733-acf3-d2dda5edb7af?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Formidable Forms \u2013 Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder", "source": "cna", "vendor": "strategy11team"}, "product": "formidable_forms_\u2013_contact_form_plugin,_survey,_quiz,_payment,_calculator_form_&_custom_form_builder", "vendor": "strategy11team"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T14:43:07.240942+00:00", "value": {"mitigation_remediation": ["Update Formidable Forms to the latest version (>=6.29) to apply the vendor patch that fixes PaymentIntent validation.", "After updating, verify that the Stripe integration validates payment intent amounts and limits reuse to the originating transaction.", "If immediate update is not possible, disable or remove the Stripe Link feature until a patch is applied to prevent the bypass.", "Monitor transactional logs for abnormal or repeated use of PaymentIntent IDs and alert on any discrepancies."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Payment Authorization Bypass"}, "threat_synthesis": {"affected_systems": "All installations of the Formidable Forms WordPress plugin by strategy11team up to and including version 6.28 are affected. The plugin\u2019s marketplace listing confirms version 6.28 is the latest vulnerable release, and the issue persists through all earlier releases. No alternative versions or patches are listed as mitigated.", "description_and_impact": "The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass, as described in the plugin source code where the Stripe Link return handler, key detail from plugin code: \"handle_one_time_stripe_link_return_url\", marks payment records as complete based solely on the Stripe PaymentIntent status without verifying the amount paid. The verify_intent() function validates only client secret ownership without binding the intent to specific forms or actions, allowing a malicious actor to reuse a low\u2011value PaymentIntent to incorrectly complete a high\u2011value payment. This flaw enables unauthenticated attackers to effectively bypass payment for goods or services, compromising financial integrity and potentially leading to revenue loss or fraudulent transaction approval.", "risk_and_exploitability": "The vulnerability is rated CVSS 7.5 (High) with an EPSS score of less than 1%, indicating low current exploitation probability. It is not listed in the CISA KEV catalog, which suggests no publicly documented exploitation yet. The likely attack vector is unauthenticated, exploiting the payment intent reuse via the Stripe Link return URL. Attackers need only access the payment intent URL to trigger the bypass; no additional credentials are required. The impact is financial, affecting the confidentiality and integrity of transaction data and potentially leading to unauthorized revenue capture."}}}}, "created": "2026-03-16T09:37:57.577067+00:00", "updated": "2026-03-23T09:59:43.168423+00:00", "vendors": ["strategy11team", "strategy11team$PRODUCT$formidable_forms_\u2013_contact_form_plugin,_survey,_quiz,_payment,_calculator_form_&_custom_form_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}